Back to school

We are all guilty of shuddering a little when hearing the words ‘GDPR’, right? This is especially true when facing the beginning of the new academic year. The maze of legislation, the do’s and don’ts of data, what to do when a data breach occurs? These are common concerns for many education providers around the UK.

The bad news is, data breaches need to be taken seriously and dealt with appropriately, the good news, there is support available to help you deal with them.

Any organisation within the Education sector, dealing with the personal data of students and staff must be compliant. It is also a legal requirement for schools and colleges in the state sector to have a data protection officer (DPO).

What does ‘being compliant’ mean?

You should be able to answer the questions below confidently, but also show how you do them – where do you keep a record of all data breaches? How do you know when these should be reported to the ICO?

• How does personal data flow across your school, trust or college?

• Having does your organisation deal with data breaches?

• What happens if someone makes a subject access and other requests?

• Who has data protection expertise within the organisation?

• Have all your staff been trained?

Breaches come in many shapes, sizes, and severities. It’s critical to recognise that an integrity breach with a single inaccurate word could be as serious as a confidentiality breach.

We have put together a ‘To Do’ list when dealing with a data breach;

• When dealing with a breach, you should always start with the assumption that you’ll be notifying the ICO, in which you only have 72 hours to do so.

• Get the facts, don’t look for blame and always involve the person who discovered the breach.

• You’ll need records later, so begin making records now with every action you take.

• Get the initial investigation going and know that mitigation is underway.

• You must make a judgement about the risk to the data subjects.

• You don’t have to have evidence of harm to make a report, gather all the information for the investigation. If you can, report by calling the ICO with the paperwork ready. Remember, the report is often not the end of the process

The above outlines a simple checklist for dealing with a data breach, but as we all know, data breaches are just a small percentage of compliance.

As practicing Data Protection Officers, we can provide support and advice on data breaches as well as SAR’s, DPIA’s, processes, supplier data and more. Speak with our team today.