Top 10 groups of suppliers

A guide to high risk suppliers

As part of a school auditing process, it is important that you build a Data Processing Eco-system as described in the DfE ToolKit

To do this, a data-mapping exercise needs to be carried out and, where Special Category data is processed, a Data Protection Impact Assessment must also be undertaken.

Here’s our Top 10 group of suppliers that should be on your list to audit as data processors:

  1. Management Information Systems, attainment/progress/assessment, attendance and behaviour
  2. Payments, cashless systems and catering
  3. IT Services
  4. Curricular trips, curricular and non-curricular clubs
  5. SEND, health and specialist support services
  6. Access control and identity management
  7. HR, payroll, pension and personal Insurance systems

Data maps are available for all major systems above within your GDPRiS account.

Systems 1-7 carry the biggest risk as they process special category data. It is important that you complete a DPIA. Templates and support for DPIA are available in the GDPRiS user support site here.

  • Messaging and parental engagement
  • Curriculum and online-learning, library management, careers
  • Leadership and governance, national and local government bodies

The above systems may not normally process Special Category Data and thus a DPIA is not mandatory. However, as best practice, consider carrying out a DPIA to review how you process data and to improve what you do.