Suppliers, RoPA and DPIAs

How to Subscribe to Suppliers and Systems

Suppliers & Systems

Our Suppliers area offers a comprehensive list of suppliers and their products, with instant mapping. As part of our product mapping process GDPRiS stores information on the standard data processed by each supplier.  GDPRiS goes a step further by capturing the legal basis for processing, retention information and how the rights of the data subject are met.

Our Suppliers area forms an integral part of demonstrating your compliance under GDPR.

Which Suppliers should be added to your GDPRiS portal ?

Confusion may arise to which of the hundreds of suppliers used by a school should become part of a data audit and thus be added to GDPRiS.

Not every supplier/system needs to be added into GDPRiS, only the ones where the school is the principal or shared data controller.

Here are some examples:

A book supplier asks the person ordering the books for their name, phone number and email address. The book supplier is the data controller and is responsible to keep your data safe and you have all the rights to ensure it is safe and correctly managed. However, this supplier would not be part of your audit. 

THIS SUPPLIER WOULD NOT BE ADDED TO GDPRiS

A book supplier has an area online where a teacher can test their students on the content of their books. The teacher uploads student names and student’s login in to do the tests. Here is an example where the supplier is processing data for the data controller (the school). 

THIS SUPPLIER WOULD BE ADDED TO GDPRiS

Overview

This document provides a process overview of RoPA formally known as Suppliers and Local Products.

RoPA

RoPA (Records of Processing Activities) is a replacement of the previous Suppliers/Systems/Local Products and My Products sections. The reason this replacement has come to be is to provide a more comprehensive, user friendly feature which schools and DPO’s can use to manage their supplier subscriptions.

Your List of Subscriptions

Your list of supplier subscriptions can be found in the Suppliers, RoPA and DPIAs section which can be accessed via the navigation menu. The first page within Suppliers, RoPA and DPIAs contains the list of your existing national supplier subscriptions and any systems you have created yourself. If you do not yet have any suppliers listed, you can add them via the “+ Add System” button where you will be able to search, review, run a DPIA or subscribe to a supplier(s)/system(s).

As you can see from the screen shot below, RoPA lists your supplier subscriptions along with their relevant systems.

Overview, Edit, Remove and DPIA functions are available on the right-hand side of each system.

Overview – The RoPA Card

The overview is as it states, an overview of the system you are currently subscribed to. This gives you a quick look at the system and the key information.

Edit Existing Subscription

You can edit existing subscriptions via the edit pencil icon  found on the right-hand side of the page. This will take you to a page where you can go into each section of the system and make changes from the provided defaults to your tailored requirements. Each section has a “Show Help” button which shows useful information to help you.

Subscription Visibility

When logged in as a DP Staff member on a Trust/Group site you can use this section to distribute a subscription to all or some of your member organisations.

Subscribe Self - This option will subscribe only the current organisation to this system without subscribing member organisations

Subscribe Self and Member Organisations - This option will subscribe the current organisation and member organisations to this system.

Subscribe Member Organisations Only - This option will subscribe member organisations to the this system, excluding the current organisation.

By default all member organisations will be subscribed if selected however specific organisations can be chosen by clicking on "Select Specific Member Organisations".

Note: If one of your linked schools within your trust is already subscribed to the subscription you are trying to pass down via inheritance in the Subscription Visibility section by using either the Subscribe Self and Member organisations or Subscribe Member Organisations Only or Select Specific Member Organisations, it will appear as though it has been added however the inheritance will not pass down because the linked school already has a subscription record for that system.
 
If you want your linked school to use the Inherited subscription where the trust controls/manages the subscription, you will need to either remove the subscription from the linked school or ask a user from the school to remove it from their RoPA and then add them via the Subscription Visibility option.

Generate Screening Questions and DPIAs (Compact or Full) 

DPIA’s (Data Protection Impact Assessments) can be run from either your current list of Supplier/Systems or via the Add System pages. Our DPIA feature provides 27 options for running an assessment ranging from Screening Questions to Safeguarding.

Click on “DPIA” in either of the provided sections and then select the type of impact assessment you would like to run and then click “Generate”. This will bring up a popup window letting you know that you will receive an email telling you where the impact assessment has been saved.

How to Choose and Complete the Right Data Protection Impact Assessment (DPIA)

When handling personal data, it’s important to determine whether you need to complete a Data Protection Impact Assessment (DPIA) and, if so, which type is appropriate for your situation. This guide will walk you through the three main types of DPIAs and help you choose the right one for your needs.

1.    Screening Questions DPIA

Purpose:
Use this type when you're uncertain whether a full DPIA is required.

How to Use:

• Complete the form by answering the screening questions provided.
• The questions will help you assess whether your data processing activity poses any risks that would necessitate a full DPIA.
• By the end of the form, it will be clear if you need to proceed with a more detailed DPIA.

When to Choose This Type:

• If you’re unsure about the potential impact of your data processing.
• When you need guidance to decide if further assessment is necessary.

2. Compact DPIA

Purpose:
This is ideal when you believe a full DPIA isn't necessary, but you want to document that you've considered the need for one.

How to Use:

• Fill out the compact DPIA form, which is a brief and straightforward assessment.
• This form allows you to quickly evaluate and record the consideration of privacy impacts without the need for a full DPIA.

When to Choose This Type:

• When the data processing is minimal and doesn’t involve sensitive information.
• If you want to demonstrate that you’ve thought about data protection impacts, even if a full assessment isn't required.

3. Full DPIA

Purpose:
This type is used when you know a DPIA is necessary, particularly for large-scale data processing or handling special category data.

How to Use:

• The full DPIA is detailed and spans 30 pages, but don’t be intimidated. The length is due to the inclusion of comprehensive guidance.
• Follow the step-by-step instructions provided, which include examples, suggested responses, and common risks with mitigations.
• This thorough approach ensures you cover all aspects of data protection and risk management.

When to Choose This Type:

• For projects involving significant amounts of personal data.
• When processing special category data, such as health information or other sensitive data.
• In cases where the data processing could significantly impact individuals’ privacy.

Subscribe to New Suppliers/Systems

Subscribe to New National Supplier(s)/System(s)

To add new suppliers or systems, click on “+ Add System” in the top right-hand corner or the screen. You will be taken to a page where you can search for the supplier or system of your choosing via the provided search box. The search will update as you type out the name of the supplier or system.

When you have searched for the supplier or system, you can click on the system name to review the system so that you can make an informed decision as to if you are happy subscribing to said system. On the search page you are also given the option to run a DPIA (Data Protection Impact Assessment) to help you identify and minimise the data protection risks to your school.

 

 

When you click on a systems name to review it, you will be taken to a screen where you can review the following sections of the system before subscribing to it:

• Purpose
• Data Subjects
• Lawfulness
• Data Fields – takes you to another page to review each field
• Documents
• Subscription Visibility
• Access
• Approval

It is important that you review the system carefully by going into each of the sections before subscribing to them. You can also at this point add in relevant information so that it is then saved when you click “subscribe”.

Supplier Provided Information

If a system has this icon next to it on the Add System page, the supplier has provided the default settings for this system.

You will also see this on the customisation page for a supplier/system if the supplier has provided the default settings for the system.

When you subscribe to a supplier and add them to your RoPA, it is likely you will have customised the data mapping to make it unique to your organisation. As a result the SPI (Supplier Provided Information) icon will not display in your RoPA screen.  

Create New Local or National Supplier(s)/System(s)

RoPA incorporates Local Systems into the same area as the national suppliers so that all suppliers are together in one place.

To create a new local or national supplier/system, click on “Suppliers, RoPA and DPIA’s” on the left-hand navigation menu.

Click on “+ Add System” – this will take you to the page where you can search for and add national suppliers/systems.

Click on “+ Create System” which will present you with the sections for you to start adding your local and national supplier/system.

You can click on the “+” to expand each section to add in the relevant information for your new system. You can click on “Show Help” to show helpful information for each section to help you make decisions on what information needs to be added to each section.

Once you’ve gone through each section for creating your new local supplier/system, you can click “Create” and you will then see your supplier with your other subscribed suppliers/systems.

Special Category

Within RoPA are aspects of Special Category fields. These can be identifiable by having warning symbols next to them.

Special categories of personal data include sensitive personal data, such as biometric and genetic information that can be processed to identify a person.

Personal data that relates to criminal offences and convictions aren’t included, but there are separate processing safeguards in place. GDPR Article 10 will give you more information on this.

Some of the personal data that companies process is more sensitive and needs higher protection. Under GDPR these are known as ‘special categories of personal data’, and includes information about a person’s:

• Race
• Ethnicity
• Political views
• Religion, spiritual or philosophical beliefs
• Biometric data for ID purposes
• Health data
• Sex life data
• Sexual orientation
• Genetic data

Edit Subscription

From either the RoPA or Add System page, you will be able to make changes to the system defaults or the settings you changed when you subscribed to the system.

The systems default settings are available for you to view via “+ Display Defaults” in each section. If you have made changes to a system and need to restore its defaults, you can do this by clicking on “Restore Defaults”.

User Guides: Suppliers, RoPA and DPIAs

Information Suppliers Should Provide to Schools

RoPA - A Quick Guide

Short Video - New RoPA Feature

Is your supplier a Data Processor