Preparing your organisation for the GDPR

Preparing your organisation for the GDPR

GDPR encompasses any personal data that is stored and processed using computers, as well as any data that is stored on paper in any manual filing system. Whether it is on a standalone computer, a network server, in the cloud or as hand written notes. For example, in an educational setting that means all, and any, personal data held on students, parents, staff and governors.

As the General Data Protection Regulation enforcement date of 25th May 2018 approaches, your organisation should be promoting a strong culture of protecting data.

However, do you know where to start?

Below, we detail the 3 key steps to get ahead before 25th May.

1. Produce a data map

In the example of a school, the setting needs to identify all categories of data that are held about students and staff, the purpose for which it is held and how it is being processed. By doing this the organisation will become familiar with the personal data ecosystem within the school.

This information can then be used to run an audit. To help do this the ICO has an audit tool that RAG rates* your current practice and gives a clear indication of where your strengths and areas for improvement are. The result can then be printed off. As you progress you can go back and conduct the audit as many times as you want to measure progress; this provides a useful framework for planning as well as good evidence of action taken.

*RAG rating:

Red: not implemented or planned

Amber: partially implemented or planned

Green: successfully implemented

2. Promote good practice

Your organisation should already be promoting a strong culture of protecting data. In preparing for the GDPR you should:

  • appoint a data protection officer
  • train staff
  • carry out an information audit
  • update and review policies and procedures
  • tell people why the data is being collected.

3. Ask questions

In addition to a clear description of the data, the following questions should be asked of those people that are responsible for collating personal data.

  • What information is being collected?
  • Who is collecting it?
  • How is it collected?
  • Why is it being collected?
  • How will it be used?
  • Who will it be shared with?
  • How long will you keep it for?
  • How will it be kept secure?
  • What process is it needed for? (e.g. admissions, recruitment)
  • How is security maintained?
  • Who has access to the information?
  • Who manages the data?
  • Who are the data subjects?
  • What is the source of the data?
  • What software is used? (if any)
  • Where does the data go inside the organisation?
  • How is the data stored?
  • Does the data leave the organisation?
  • Does data flow outside of borders? (that is national borders to areas not covered by GDPR).

GDPR training course

These steps are taken from our latest GDPR training course: ‘A Practical Guide to the GDPR for Education’. The course gives real-world scenarios and sample solutions to help schools and settings prepare for 25th May 2018 and is available to buy individually online or as an addition to EduCare for Education®, our complete safeguarding and duty of care e-learning service.







Country:
Post/Zip Code:
Job Role:
Requirement:
Organisation Type:
 

All data will be held in accordance with our Privacy Policy.

Return to news

Related content:

Resources

Video: What is the General Data Protection Regulation?

The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. Watch this video to find out more.

Read more