As GDPR approaches I thought I would share some thoughts. Now I must admit to not being a GDPR expect, instead the below represents my thoughts taken from the perspective of managing the prevailing risks around GDPR.
Two issues which currently occupy my thinking in relation to GDPR are managing the use of third parties which either supply software which is used in school or which provide a service where they store school data outside of the school. Another issue which is currently at the front of my mind is the issue of awareness training and how we ensure staff are suitably informed and aware of GDPR, its implications and particularly what it means for them.
Third Party solutions
Schools may make use of third party software within the school, some of which is locally hosted and stored in the school and some are cloud hosted.
Locally hosted solutions might include the school management system. In these cases, we are relying on the third-party vendor ensuring that the software they have created has adequate security measures in place to protect any data held within it. From a GDPR point of view schools need to show their efforts to comply and in this case, I would suggest the easiest way is to ask third party software vendors to provide details of how they have ensured the security of their product either through their policies or through independent reviews such as audits, vulnerability or penetrations testing. Although the school is responsible for the security of the infrastructure on which the solution resides, it is the vendors responsibility to ensure the security of the platform itself, independent of where it is hosted.
Where cloud hosting is used we have the same issues as for local hosting, in that the vendor must have ensured the security of the platform, however we have the added issue of the vendor supplying the hosting and the infrastructure on which the platforms sits. My first port of call in examining third parties is their policy documents looking specifically at any GDPR, Data protection, privacy, data privacy or information security policies they may have. In the best cases this will address issues around security of data, sharing of data, deletion and retention of data. In my experience, most vendors will quote the security compliance of their hosting service somewhere in their documentation or in response to questions on security. This usually addresses physical security concerns in that the larger data centres must have tight security to comply with the relevant standards. This still leaves a requirement to ask questions around business continuity and disaster recovery, in what processes the vendor has in place in the event of a serious incident. It also leaves questions around ensuring the security of the network on which the service is hosted. Like with local hosting we can address this by asking questions around any penetration testing or external auditing which has been conducted.
Breach, security incident or vulnerability notification processes are also an important thing to look for across both local and cloud hosted solutions. If a service is handling student data it is important to know that they have a process in place for notifying service users if an incident occurs or if a vulnerability is identified plus that they have a clear timeline and method of notifying users.
I think a key aspect of GDPR is making sure the overall school community is aware of the new legislation and what it means for them. As such training is a key feature of preparations. I know many companies and individuals are offering training ahead of the introduction of GDPR however I think it is important to establish the purpose of training. If the purpose is simply compliance then an annual presentation to all staff will suffice as it will provide that all staff have received training. The issue here is that staff in schools are very busy and therefore the content presented to them is unlikely to stick. Equally an online resource in my opinion has the same limitation. The staff will complete the materials however little will stick. For me the key is a multi-honed approach using various delivery methods including whole school sessions, sessions where discussions and materials are disseminated to department level, broadcast communications such as email campaigns and online training materials. An awareness of GDPR and more importantly an awareness of the risks associated with processing data needs to form part of the culture, “the way we do things around here”.
GDPR is now fast approaching and the above are just two issues out of a myriad of issues. Not mentioned above are the implications around developing appropriate privacy notices, the issue of establishing data retention plans, dealing with subject access requests or requests for limitation of processing, handling requests to be forgotten, handling services where data is stored outside the EU and the issue of identifying the legitimate reason or justification for possessing. The GDPR rules are complex to implement and my advice on this continues to be to take a risk based approach. For me, currently, the two items above in third parties and awareness training, represent to of the big risks.