Useful Information
      Back to home
      1. GDPRiS Knowledge Base
      2. Useful Information

      GDPRiS - Welcome guide

      Resources to prepare for GDPR

      Start your preparations for GDPR

      Every member of staff in school is responsible for protecting the data you hold. If you haven’t already done so you should start planning now, ensure you understand GDPR and your responsibilities.

      There seems to be a lot of panic related to the introduction of GDPR however, compared to many private organisations, schools are much better placed to address the new regulations. Whilst there are many extra demands required to map and audit personal data stored and shared, schools with existing rigid data protection policies should see GDPR as an opportunity to improve the way they work.

      There is a wealth of information on the ICO Website 

      What exactly is the role of your school under GDPR?

      You are the ‘data controller’ and therefore responsible and accountable for the data you hold. Anyone else you are connected with, such as 3rd party suppliers, who also process personal data are called the ‘data processor’. Under GDPR data controllers and data processors will have equal liability should there be a data breach.

      How will GDPRiS help you achieve compliance?

      GDPRiS is a simple and intuitive tool; it reflects existing processes and the way schools work, whilst pro-actively prompting you to meet and exceed the new General Data Protection Regulations.

      Managing suppliers

      Our Suppliers area forms an integral part of demonstrating your compliance under GDPR.

      It offers a comprehensive list of suppliers and their products, with instant mapping. As part of our product mapping process, GDPRiS stores information about the standard data processed by each supplier. Additionally, GDPRiS goes a step further, capturing the legal basis for your processing and retention of information, and considering how the rights of the data subject are met.

      Which Suppliers should be added to the GDPRiS tool?

      Confusion may arise as to which of the hundreds of suppliers used by a school should become part of a data audit and thus be added to GDPRiS. To clarify, not every supplier does not need to be added into GDPRiS, only the ones where the school is the principal or shared data controller.

      Here are some examples:

      A book supplier asks the person ordering the books for their name, phone number and email address. The book supplier is the data controller and is responsible to keep your data safe and you have all the rights to ensure it is safe and correctly managed however, this supplier would not be part of your audit therefore this supplier would not be added to GDPRiS.

      A book supplier has an area online where a teacher can test their students on the content of their books. The teacher uploads student names and student’s login in to do the tests. This is an example where the supplier is processing data for the data controller (the school) therefore this supplier would be added to GDPRiS.

      Documents and training

      Under GDPR it is a requirement to demonstrate that all staff have undertaken Data Protection training. This area will make up part of the evidence that you are complying with GDPR.

      The Documents and Training area is great for sharing internal policy and process documents, training materials and to access GDPRiS training materials and videos.

      Data breaches

      Under GDPR certain types of data breach must be reported to the relevant supervisory authority (In the UK the Information Commissioners Office – ICO) within 72 hours, and in some cases to the individuals affected.

      A tight timescale considering you need to find out about the breach, establish if it is a reportable breach then report it to the ICO.

      The true meaning of a breach under GDPR is a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just the loss of personal data it is about whether the breach is likely to result in a risk to the rights and freedoms of individuals.

      Whilst we hope you will never need to use this area, GDPRiS is designed to streamline the process of breach reporting and enable you to track and manage breaches ensuring you are able to respond within these tight new timescales. The breach reporting process in GDPRiS follows the guidance provided by the ICO.

      All staff should be pro-active in reporting anything they believe may be a breach of GDPR from within their individual user account. The Data Protection Manager for the school and/or the DPO can then assess if it is a reportable breach or not and take the necessary actions to ensure your school complies with GDPR.

      Internal Audits

      Under GDPR the new Accountability Principle requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility.

      Within GDPRiS, data maps have been provided by suppliers or from other reliable sources. These include information on: the purpose of the collection and processing of data; the legal grounds for processing; where and how long it is stored, and how the data rights for data subjects may apply. These data maps are part of suppliers demonstrating compliance, alongside any other documents with Data Sharing Agreements or similar. By having full access to these data maps, it provides schools and their DPOs with the opportunity to review and either accept or update as part of their due diligence.

      A data audit is a step-by-step method of looking at all aspects of how you collect, handle and use data within your school. As data controller, a school must be 100% satisfied that everything a data processor says it is doing is true, can be seen in evidence and is checkable. An audit should highlight issues that arise at any step of the processing. Moreover, an audit will produce comprehensive records and reports to demonstrate that the controller has done everything in its power to check that its personal data is processed safely, legally and ensures that the full rights of the data subject are met.

      The Internal Audit is the final step to compliance. Once completed the information will need ongoing input to keep it up-to-date so it is important to perform regular Internal Audits to ensure compliance.

      Getting started with GDPRiS

      You will have received a username and password to allow you to activate your ‘live’ GDPRiS site, it is important to note that any data you enter in your site will remain there forever therefore only clean data should be entered.

      GDPRiS - Welcome guide