In preparing for GDPR, the ICO’s ‘twelve steps to take now’ is a great starting point. But as time marches on there comes a point where it becomes ‘twelve steps to have taken then’ as schools and other organisations get into a deeper level of preparation. The schools and suppliers I have been informally working with came up with a ‘twelve steps to really take now’ that helped us think through preparation in a sequential way. Here’s where we got to…
Step 1: Be Aware
This needs to be on SLTs radar as an important task. Governors need to know what they need to see demonstrated by May, and you should ensure staff engage with data protection as an important element of child protection, that is the angle that gets people engaged.
Step 2: Create the high level data map
A previous blog and video have explained how this is a necessary foundation for several other steps. Draw your ecosystem diagram about personal data. You probably hold data about pupils, parents and staff. Test this and iterate it in staff meetings. Encourage staff to think about information risks. Remember, this is data stored online, stored electronically locally and stored on paper.
Step 3: De-mystify the language
Understand the key terms of personal data, special category data, data audit, lawful basis and conditions for processing, data retention, privacy notice, subject access request, data protection impact assessments and data breach. You’re going to need to use them from this point forward.
Step 4: Turn your data map into a skeleton data audit
What data is held in each data asset? Think hard about personal data and those special categories. Sensitive data like SEN and Free School Meal Eligibility we probably want to treat in exactly the same way as those special categories. Where those data assets are in electronic systems, be proactive in seeking out suppliers being able to demonstrate their own commitment to GDPR readiness.
Step 5: Document the answer to this question : Why are you collecting this?
In Plain English, you want to ask yourselves: have I got to do this? Is this data key to our job? Could I cope with less data or data in a less sensitive state? In GDPR speak, you want to document the lawful basis for processing, and for special category data, the condition for processing too. Flag up any areas that don’t fall under legal responsibilities or to run the school effectively and safely. They may well be the areas where active consent needs considering.
Step 6: Document the answer to this question: How long do you need this information for?
If a child leaves the school, do you still need their personal information? Why? How long for? Over time, can some of the data be destroyed if not all of it? When you explain your thinking, are you convincing?
Step 7: Reassurance and Risks
Are all the systems being used secure? Are physical environments sensibly policed? Where are the remaining risks, what quirks have perhaps been overlooked? What is the future strategy for reducing key risks?
Step 8: Decide on your Data Protection Officer Role (DPO)
Look at what the job involves. Hear the message about the ‘degree of separation’… Think ‘auditor’ type role. Look outwards, what options do you have? Decide, and then upskill as necessary.
Step 9: Pause and reflect
You know what data you use, and why. You know how long you need to use it for and can justify it. You know it is secure. You have figured out the DPO role. You are on top of the data and risks, now it is time to focus on making this a living thing and ensuring parents and children are well informed.
Step 10: Operationalise Data Protection
Data Protection is like driving, rather than a driving test. It is not a milestone. You need to ensure people are trained to protect data, that the processes that help those people use data responsibly are up to date and socialised within school, and that the technology you use is also being used sensibly.
Step 11: Communicate with data subjects
Ensure your Privacy Notices clearly tell people why you collect and use data. Keep the language clear and signpost the detail for those who want it. Demonstrate you are on top. Use your data map, your audit, and your People, Process and Technology work to do this. In addition, you should also ensure your Subject Access Request process is clear.
Step 12: Keep it living
Use the DPO role effectively. Ensure staff are trained, and have time to talk about policies and risk ‘little and often’. Training should be a continuous process. Be clear when policies will be reviewed and refreshed. Be clear on risks and have visible scrutiny of what you are doing to manage them. Use your website well to tell your story.