Technology Reseller - v08

An End-to-End Solution for Education Technology 12 | Inevitably, schools and colleges will be processing personal data relating to students and staff, a large proportion of which will contain sensitive data relating to health, ethnicity and religion which require even more care and consideration. Educational institutions will need to be able to demonstrate that they have complied with the following data protection principles which require personal data to be: • Processed in a lawful, fair and transparent manner with the consent of a parent or guardian (in the case of children). • Collected for specific and legitimate purposes but retained for no longer than necessary. • Relevant and limited to what is necessary. • Accurate and kept up-to-date. • Secure and can meet with subject access requests in 30 days. Note: charges can no longer be made for such requests. Failure to comply with GDPR can not only incur a considerable financial burden but also reputational damage as any steps taken by the Information Commissioner’s Office (ICO) for a breach puts an organisation in the public spotlight. This can also apply even if the data is collected and maintainedby a third party and so it’s important that where data is outsourced, a legal contract and service level agreements are in place. A Data Protection Officer (DPO) will also be required. Whilst this role may already exist at most educational establishments, the qualifications and experience required are much stricter. Whilst organisations may be able to group together to hire a single DPO, the person will need to be easily accessible to all parties. Steps to GDPR compliancy The ICO is a good source of information on GDPR. Whilst technology can be an enabler in terms of security and assessments, GDPR is as much about process and procedure. As a starting point, the ICO has recommended 12 steps that should be taken. 1. Awareness: Key people and decision makers need to be aware of GDPR requirements. 2. Information Audit: to document what personal data is held, where it came from and if it’s shared. 3. Communicating Privacy Information: Information needs to be provided in concise, easy to understand and clear language. 4. Individual’s rights: Subject access and retrieval in a commonly used format; inaccuracies to be corrected, right to be forgotten, data portability. 5. Subject access requests: Timely and provided in understandable format. 6. Legal basis for processing the data should be documented. 7. Consent: review how data is sought, obtained and recorded. Consent must be freely given, specific, informed and unambiguous with a positive affirmation of the individual’s agreement. 8. Children: Consent from parent or guardian for processing of children’s data. For the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. 9. Data Breaches: Procedures and technology should be in place to detect, report and investigate a breach. Notification is required within 72 hours where an individual is likely to suffer some form of damage through identity theft or confidentiality breach. 10. Data Protection by Design and Data Protection Impact Assessments: It has always been good practice to adopt a privacy by design approach and some projects will require a DPIA as a legal requirement particularly if a new technology is implemented. 11. Data Protection Officer: Appointment of a suitably qualified DPO. 12. International: Determine the data protection supervisory authority. In addition, educational establishments will need to ensure that they are working with an accredited company when it comes to data disposal or recycling and include that within their e-safety policy document. Resellers can be the trusted advisers to help educational establishments work towards compliancy with the help of technology solutions but GDPR isn’t prescriptive in terms of what technology to deploy. Naturally, Exertis has a number of security vendors that offer solutions and these are highlighted in our guide or you can ask the Exertis security team for more information. However, there is no silver bullet but schools and educational establishments will need to have a better understanding of what data they hold, why they hold it and who has access to it. Be sure to visit our new Public Sector site www.exertis.co.uk/public-sector