A guide to high risk suppliers
As part of a school auditing process, it is important that you build a Data Processing Eco-system as described in the DfE ToolKit
To do this, a data-mapping exercise needs to be carried out and, where Special Category data is processed, a Data Protection Impact Assessment must also be undertaken.
Here’s our Top 10 group of suppliers that should be on your list to audit as data processors:
- Management Information Systems, attainment/progress/assessment, attendance and behaviour
- Payments, cashless systems and catering
- IT Services
- Curricular trips, curricular and non-curricular clubs
- SEND, health and specialist support services
- Access control and identity management
- HR, payroll, pension and personal Insurance systems
Data maps are available for all major systems above within your GDPRiS account.
Systems 1-7 carry the biggest risk as they process special category data. It is important that you complete a DPIA. Templates and support for DPIA are available in the GDPRiS user support site here.
- Messaging and parental engagement
- Curriculum and online-learning, library management, careers
- Leadership and governance, national and local government bodies
The above systems may not normally process Special Category Data and thus a DPIA is not mandatory. However, as best practice, consider carrying out a DPIA to review how you process data and to improve what you do.