One of the few things which I felt was different between the old Data Protection Act 1998 and GDPR when it was introduced, was the need to be able to evidence compliance as part of the compliance process. So, to be compliant you have to be able to provide evidence of compliance.
So how to show compliance?
As we start a new academic year, I think it is therefore important to give some consideration as to how you can provide compliance with UK GDPR so I thought I would list some of the key evidence you should have.
Data Record Summaries
One of the key things about GDPR and personal data is knowing where the person data is stored and/or processes so one of the key methods of showing compliance is to have records of which data is where, along with appropriate classification of the data, who has access to it, its purpose and how it is processed. Now I know from personal experience this can be a very arduous job, however it is important to understand it can be carried out at different levels of details, from full details down to the individual data fields, which is likely to be too details and time-consuming, to higher-level records focussing more on record types. It is therefore important to decide what level of detail how need. It may be acceptable to have a high-level central record which individual departments then may keep more detailed records at a more local, department level.
Retention periods
We also need to be able to show we have considered our retention period of different record types. Now the Department for Education provide minimum retention periods for some record types however for others’ schools will need to make this decision for themselves. As such the evidence of compliance is then the retention policy or process plus the fact the current data stored matches this.
Policies
We can also evidence our compliance by having the appropriate policies in place, although really, it is less the policies that matter, and more that the school follows and complies with their own policies. So, this can include a privacy policy, data protection policy, acceptable usage policy, data retention policy and information security policy. I think, also there needs to be evidence in the form of policies or documented processes in relation to incident management and in relation to managing subject access requests or other data issues.
Is Data Protection and GDPR discussed
This to me is the most important evidence. We can create our policies and other documents as a one-off task however data protection and compliance with UK GDPR is an ongoing process, as processes and systems change, as additional data is gathered, as the operating environment changes, etc. As such one of the key pieces of evidence is that data protection is often discussed. This can easily be seen in minutes of meetings, briefing documents, emails, incident and near miss logs, etc. Simply asking random staff some basic data protection questions, such as who they would report a suspected breach to, or what to look out for in phishing emails, will help you easily identify is data protection is taken seriously and therefore, how likely that UK GDPR is complied with.
Conclusion
The above is not meant to be exhaustive detail as the reality of UK GDPR is that your approach should be appropriate for your organisation and for the data you store and process, and the methods you use to process such data. As such I suspect no two schools will ever be the same, although they will certainly have many similarities.
If I was to make one suggestion it would be to ensure that you can show that data protection is part of the normal day to day processes. There should be evidence of its general and regular discussion as if this is the case, if it is regularly raised and discussed, it is likely you are already well on your way to compliance.
Technology and Learning