We designed Sentry based on two key principles.
First of all, we wanted to make the management of compliance as easy as possible.
Secondly, we have built the system to produce the exact format that the Data Protection Authority (DPA) requires, specifically in relation to breaches, DPIA’s and data mapping.
Sentry can help you with compliance so when you’re ready we can arrange a free trial or a demonstration.
Dealing with GDPR for one school offers challenges, so when you have a group you need the right tools.
There are two key requirements; first you need instant access to information for all the schools in your remit and secondly you need to have simple ways to collaborate with the people supporting data protection in each school.
A comprehensive review
The DPA have put together a number of lists of self-assessments for organisations to work out if they are fully compliant with GDPR. We’ve brought them all into one place and created a dashboard for you to check your own progress too.
The requirements are pretty straightforward. For example, “Your organisation has a documented process for dealing with requests for personal data that all your staff are aware of and you have effectively implemented”. There are several steps in here – a documented process, staff are aware and effectively implemented.
After the modules there is a short test to take
You can make training available, however, you may need to prove that people have completed it and understood it. In order to provide this proof, there is a multiple-choice test based on the material from the modules. Sentry allows an administrator to see a complete list of people who have taken the test as a result of which appropriate reminders can be given to ensure that every member of staff has been trained.
Breaches can be hectic, so you need a structure and process
First of all, when you discover a breach – don’t panic! You’ll have a breach procedure, so you’ll know that the first step is gathering information. You can then decide if a report has to be made to the DPA.
You’ll be guided through the questions that need to be answered by the Sentry system. If you do have to report a breach to the DPA (and more than 350 reports were made in 2017/18 by education organisations) it needs to be straightforward.
For this reason, when you’re ready, one click takes the information you enter and produces the DPA Breach Report document.
You must involve your data protection officer (DPO)
You have to make decisions when dealing with a breach that can have significant consequences. All schools are required to have a DPO, because a DPO is an expert in data protection law and practice.
Breach management is, above all, about assessing and mitigating risk. Your DPO is the person who must give you this advice.
For Sentry customers we offer access to expert breach support. You can take out a support agreement, or alternatively you can get advice at the time you need the help. If you want to find out more, get in touch.
More of a marathon than a sprint
If you receive a subject access request (SAR), you have a calendar month to respond, compared to the 72-hour report requirement for breaches. The longer deadline contrasts with the amount of information that a SAR may involve. While a breach report may be a dozen pages, for some SARs the response may run into the hundreds.
If you use Sentry, you’re guided through the process just like recording a breach. In particular, Sentry’s notes and attachment facility comes into its’ own for SARs. Any documents you create, including the response, can be uploaded. You must keep a copy of the information you provide to the data subject because they may want to raise questions.
You can enter notes on any tab, while If you want a full chronology, you can get this from the History tab.
You must involve your data protection officer (DPO)
When you respond to a SAR, you don’t want to create new problems, so you must review the requests in detail. Disclosure of some data may be exempt, while the risk of harming the data subject means that data is withheld.
The DPO is your source of expertise once again. If anything, the decisions about SARs are more complex than those relating to breaches. You’ll need to consider carefully who can redact the results.
For Sentry customers we offer access to expert SAR support. You can take out a support agreement, or alternatively you can get advice at the time you need the help. If you want to find out more, get in touch.
Taking the hassle out of data mapping
You need to map your data for two reasons; firstly, because you must legally produce a ‘Record of processing activities’ if the DPA requires it. You must also be able to find data when you’re dealing with a SAR or a breach.
Sentry has already done much of the hard work for you. We have pre-populated more than 100 purposes of processing with details such as data subjects, the likely categories of personal data and above all the lawful basis of processing and retention period.
Your job is straightforward. First check the details provided and update them, if necessary, then add the locations and security measures.
One click produces the exact format of the DPA’s Data Mapping spreadsheet.
You can easily create custom purposes of processing
While Sentry has a large number of template processes built in, you’ll probably have some that are specific for your organisation. Creating custom categories of personal data, data subjects or any of the other elements to map a process is simple. Your customised choices will appear in the drop-down menus straight away.
If you’re starting from scratch with data mapping it can seem intimidating, however, having Sentry makes the task easier. Should you want further assistance, we can help. Firstly, we can offer a one-day training session which uses your real data to teach you the process of mapping. At the other end of the spectrum, we can do your mapping for you and deliver it through the Sentry system.
Suppliers must demonstrate they are processing personal data appropriately
Data controllers may use third party data processors, however, it must demonstrate that these third parties are GDPR compliant.
You must keep records of supplier contracts, or their terms and conditions, showing a statement of compliance. For suppliers outside of the EU (and a select group of other territories) demonstrating compliance is more complicated. Of particular note is that the United States is not on the list of countries where compliance is guaranteed.
Suppliers are at different stages of readiness
Some suppliers have sent out formal contract amendments, while others have had little or no communications with their customers.
Judging whether the measures the supplier is offering are acceptable is another matter altogether. For small suppliers the concept of a formal contract may be entirely new.
Sentry already has a bank of popular suppliers in its standard template. Adding a new supplier is simple and quick to do and because you can attach files, the compliance statements are in Sentry if you need them.
Your planning process has a new requirement
A significant change in your systems or processes could have a massive impact on the risks to the personal data you hold.
These impacts can come about in a number of ways. Firstly, you may be radically changing the amount or types of data you collect. Secondly, different systems have different intrinsic risk profiles. Finally the transition of data from the old system to the new one creates an additional set of specific risks.
A data protection impact assessment (DPIA) weighs the risks and benefits of an initiative from a data protection perspective. The DPIA must form part of the decision-making process about whether the initiative goes ahead and may involve seeking approval from the DPA.
You must involve your data protection officer (DPO)
A DPIA, like managing a breach, is about assessing and mitigating risk. Your DPO is the person who must give you this advice. The first advice you need is whether a DPIA is necessary because it is a significant undertaking.
Sentry allows you to record the output of a DPIA in the format that the ICO expects to see. For Sentry customers we offer access to expert support. We can work alongside your DPO to analyse the risks and identify ways that the risks can be mitigated.
Pragmatic data protection training for all staff
People change behaviour when they know what’s expected, so we’ve developed an online training programme to support you. We’ve split it into four modules due to the time pressures that all staff are under.
The modules cover the information that everyone needs, firstly there is a general introduction combined with a little myth-busting. The second module covers the new, much bigger, definition of personal data. In the third module we discuss the responsibilities all staff have in relation to SARs and breaches, and finally the last module focuses on practical steps to prevent breaches.
The heart of compliance is being able to demonstrate what you’ve done, documentation is critical. The notes and files section of Sentry is critical here. You can make notes about your progress and upload the detailed documentation as you move forward.
On the day you’re asked about your level of compliance, you’ll be able get to the answers immediately and back them up with relevant information.
Many schools, one system
You’ve just got the job as the data protection officer for a Multi Academy Trust, so congratulations are in order! However, it’s very common to find that individual schools within a group are at different stages of their compliance journey. Additionally, you can’t be in every school every day even though the school is at the sharp end of data protection delivery.
Sentry enables the creation of Group Administrators. A Group Administrator has access to this extra dashboard meaning they have instant visibility of activities across all of the schools in the group. Suppose you want to know how many people still need to complete the online training, easy, the answer is right there in the dashboard.
Taking informed action
Click on any of the schools in the Group dashboard and you’ll go straight to its’ main dashboard. You have full administrator rights on every school in the group meaning that you can view and edit existing records as well as creating records for events like breaches or SARs.
This means that you can provide support to one school through the Sentry system while you’re on site with another school providing training or performing an audit.
Download the Product Brochure
Book a Demo