GDPR Schools Checklist and Toolkit
In part 1 of this blog series, we spoke about the challenges and opportunities for schools under GDPR. In this part, we look at how to actively work with the GDPR opportunity.
You need to develop a culture where you have GDPR top of mind and your processes and documentation in compliance with the regulation.
But where to start?
This checklist is an overview of the initial project and the following day-to-day work, so you can take those first steps.
You’ll be up and running before you know it!
1. Educate yourselves and your staff
Every member of your staff that comes into contact with personal data should know about GDPR. The language of the regulation is likely new to some. It’s important to go through the definitions of roles and responsibilities.
Everyone should know what personal data is and how to handle it. Make sure to engage many different people at the school, so that your GDPR work applies to the areas that you are working in. Members of the senior leadership team can be a great help with this, and it’s important to listen to their needs and input.
2. Start with your data mapping
First, you start by building an overview of where you store and use personal data (digitally and any paper-based storage). Map out where your data comes from and what type of personal information it is.
3. Create a data asset register
With your data mapping, you can create a more detailed register that looks at every individual data asset. Give each data asset a reference number. On every row in your digital tool or spreadsheet you specify data source, data contents and data retention for that particular reference number.
What you can learn from this is seeing you might be storing unnecessary data. Or perhaps you share data with employees that might not need to be able to view it. This is a crucial step in your GDPR work.
4. Document your data processing
You need a good reason to collect and hold personal information, and to understand how the data is categorized. The Special Category Personal Data holds information on racial or ethnic origin, religious of philosophical beliefs, political opinions, health, trade union membership and criminal offenses. All other data is categorized as personal data.
Look at your information and determine if you’re required by law to process the data. If not, you might ask yourself if you need to process the data to effectively run your school. Remember that consent has to be voluntary, and can be revoked by the individual any time.
You also need to create a policy for how long you need to store a specific data asset. Look at why you hold the data, if you are legally obliged to keep it, or if you can delete parts of it after a while. If you cannot justify why you hold the data, you should look into erasing it.
DPOrganizer helps Northern Europe’s Largest Educational Institution Thrive under GDPR
5. Look at potential risks and how to eliminate/reduce them
With the help of your data asset register, you can identify risks and assess what might need to be eliminated. Can you for instance see whether you have shared a piece of personal data with a third party or a member of staff?
Look at how your GDPR activities adhere to your policies. Are your guidelines and activities sufficiently tailored to your specific needs. Or do you need to revise them?
A personal data breach means “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data” (Article 4).
Make sure your staff knows what constitutes a data breach. If they suspect a data breach, they must immediately inform the DPO, who in turn might need to notify the authorities and the affected individuals.
6. Appoint a Data Protection Officer
As a data controller, your school probably needs to appoint a Data Protection Officer to comply with GDPR. A DPO is the point of contact for communications with the authorities and is responsible for ensuring GDPR compliance. They can also help educate and train your staff and conduct internal audits.
The DPO can be a member of staff or you can have an external DPO. If you wish, you can cooperate with other schools and share a DPO, but they need to understand your processes to make correct assessments regarding your compliance. They should also be involved from the very start with your GDPR work.
7. Communicate with your data subjects
Be clear about who your data subjects are: students (including ex-students), staff (including former members of staff) and parents or carers. Know what rights they have, and what your plan of action is if a data subject wants to know what data you hold or wants to have their information removed entirely.
Make sure to show your compliance in a clear and comprehensible manner. Inform data subjects what information is being collected about them, for what purpose, who they can contact to discuss their data management and so on.
8. Move from strategy to day-to-day activities
When you have fulfilled the steps up to here, go through your policies to see whether you have all the tools you need to protect your data and manage your data processes. For instance, do you have a policy for how to manage a data breach?
You should also check that your staff and different privacy roles have all the tools they need. Perhaps you have done your initial GDPR work in spreadsheets but might need a separate tool built for managing compliance. Your DPO can help ensure that you have the relevant tools and codes of conduct that applies to your particular needs and processes.