Back in 2017 I wrote a post for UkEdChat in relation to GDPR (See the post here), prior to the introduction of the GDPR regulations in May 2018. It is just over 3 years since that post, and almost 2 ½ years since GDPR came into force so I thought it would be a good time to revisit the post and share some of the things I have learned in relation to data protection and GDPR since then.
Subject Access Request
One of the key things I expected when I wrote my post in 2017 was a significant increase in Subject Access Requests. For me this never really materialised. What did materialise however, for the limited number of SARs received, was a more difficult and time-consuming process in trying to fully respond to requests. Thankfully new tools such as the eDiscovery tools in Office 365 made this reasonably easy and convenient from an IT point of view but this didn’t alleviate the administrative challenges around the need to review and also redact data from that identified by the eDiscovery tool.
One of the key things I have learned in relation to GDPR is the importance of evidencing compliance with the regulations. Things will not always go to plan and when they don’t there is a need to prove that you have done all that is reasonably possible. This means documenting processes, documenting incidents, even minor ones, and documenting discussions regarding the perceived risks and mitigation measures including the mitigation measures which have not been applied due to cost or operational impact. You need to be able to prove that you have fully engaged with the legislation and made every reasonable attempt to comply.
Interpreting the rules
It is clear that the GDPR rules are not as clear as some people, and especially those selling GDPR goods and services, would make out; There is a need for interpretation within the context of your own school and any such interpretation needs to be documented. There is also an opportunity here to reach out to other schools similar to yours to see how they have dealt with certain situations, and how they have interpreted GDPR. Again, a key issue is the need to document any decisions or conclusions reached in your interpretation of GDPR.
Third Party Management
I mentioned Third Party management in my 2017 post and I believe my concerns have been proven. Third parties have shown themselves to be a source of cyber risk, with cyber criminals breaching third parties and then moving laterally into an associated school or other organisation. Third parties have also shown themselves as a risk where they themselves are used to process or store your school data as a breach of the third party storing your data is your responsibility; you are the data controller. The key here is the need for due diligence and a privacy impact assessment before engaging with a third party, plus the routine review of these assessments and of third parties’ approach to data protection and to cyber security. We cant truly control the third parties we engage or the criminals who may seek to breach them, but we can try and ensure they are as prepared as possible, and can ensure we can evidence that we have taken all reasonable measures should something go wrong.
This is my biggest learning point from the last 3 years, since my post in 2017. There are no 100% answers when it comes to cyber security and data protection. It is all about managing risk. Every action we take in terms of the setup of a system, the processes we use, the third parties, etc, all involve a business benefit or gain but also a risk. Nothing is without risk. As such we need to constantly be reviewing the risk and deciding what risk is acceptable and what is not. We need to examine the available mitigation measures and decide which will be implemented and which we will not implement with this often due to potential operational efficiency loses or simply down to cost. Above all, we need to document these considerations and the resulting decisions.
I am not sure GDPR changed things as much as I thought it might however it definitely did provide an opportunity to re-examine processes, systems, etc with a view to keeping data safe and secure. This also provided a key opportunity to develop the all-important documentation in relation to processes and systems. I think in 2017 I looked at GDPR as a piece of legislation and an end point in ensuring readiness for May 2018. Looking back, I now see GDPR as more of an ongoing process which will never end. GDPR is about ensuring we are doing all that is reasonably possible to safeguard the data trusted to our possession.