Schools share personal data with suppliers all the time, but because of the rules imposed by the GDPR (General Data Protection Regulation), they need to be careful about the way they use that information.
The GDPR extends the scope of responsibility when it comes to data protection and privacy, meaning organisations may be liable for mistakes made by third parties.
To ensure that doesn’t happen, you need to know which supplier relationships are subject to the GDPR and take appropriate actions to protect yourself.
We help you get started in this blog, explaining which suppliers process personal data, what information you need from them and how you can maintain GDPR compliance.
When does the GDPR apply?
The GDPR only applies to personal data of EU and UK residents. (Following Brexit, the UK created a localised version of the Regulation known as the UK GDPR, which – except for a few changes – contains the same requirements.)
As such, you only need to be concerned about EU and UK residents’ personal data, which includes things such as people’s names, addresses, contact details and financial records.
Let’s now look at some examples of supplier relationships and whether they are subject to the GDPR.
Our first example is an online subscription service from whom you purchase study materials.
The transactions are conducted under the school’s budget using the company’s records. Students visit the site and read material to help them in their studies, but they don’t need an account to use it.
This supplier relationship is not subject to the GDPR, because no personal data is being shared. The bank details aren’t associated with a specific person, and the students aren’t required to hand over any information when using the service.
But let’s say that there’s a similar service that requires students to register before they can access the study materials.
This would be subject to the GDPR, because the supplier has obtained students’ names and contact details.
How about this scenario: there’s an off-the-shelf piece of software that shows staff information about students, such as the books and resources they have accessed.
The GDPR applies again in this case, because even though the service is used by students and staff, the supplier is still processing the data.
What information must schools collect from processers?
Here are five things schools must document to ensure their supplier relationships comply with the GDPR:
1. A contract containing compliance practices
You must agree in writing to the measures you and the supplier will take to protect your sensitive information.
The contract must stipulate that the supplier will act only on your documented instructions, that it won’t hire a sub-processor without your prior approval, and that it will delete or return personal data at the end of the contract.
2. A record of compliance
All organisations must maintain records that demonstrate their GDPR compliance. This includes privacy notices and policies, as well as proof that certain processes – such as risk assessments and data protection impact assessments – have been completed.
3. Breach notification and incident response processes
A crucial aspect of GDPR compliance is understanding what you will do when a data breach occurs.
No matter how secure you are, there is always the risk of a security incident; there are simply too many vulnerabilities to manage.
By preparing for the inevitable, you can ensure that you respond quickly and effectively, minimising the damage and protecting your reputation.
Regulators will investigate your actions once you have disclosed the incident, but they won’t issue a fine if they believe that you’ve done everything you reasonably could have to prevent and manage the risk.
Suppliers must therefore share their response processes with schools so that they can work together in the event of a data breach.
4. The supplier’s data protection officer
Under the GDPR, certain organisations – including schools – must appoint a data protection officer to act as an independent expert on data protection issues.
Your suppliers won’t necessary need a data protection officer, but they should have a point of contact that occupies a similar role. This might be a data protection or compliance manager, for example.
Whatever their exact title is, schools must know their name and contact details so that they get in touch regarding any compliance issues.
5. Information about third-country data transfers
The compliance requirements of schools and their suppliers may change if personal data is transferred to a third country – i.e. one that is not subject to the EU GDPR or the UK GDPR.
Organisations in the supply chain must therefore notify relevant parties if this is the case.
Supplier relationships and data protection impact assessments
A core component of GDPR compliance is the requirement to conduct DPIAs (data protection impact assessments) for “high-risk” processing activities.
Conducting a DPIA helps you to identify and minimise the data protection risks posed by a project.
Processing activities that require a DPIA are likely to include things like implementing new software that processes personal data.
The DPIA looks at this processing to assess the risks to the personal data and therefore to data subjects, how likely it is that they might be harmed, and the extent of that possible harm.
- How many people the personal data belongs do
The quantity of data involved may not influence the likelihood of harm, but it makes a difference to the collective harm to individuals in the event of a breach.
For instance, the data within the school’s MIS (management information system) includes the data of current, past (and, in some circumstances, future) pupils, their parents and employees.
- How easily the personal data can be used to identify specific individuals
This links to the categories of data involved. For example, if the records contain people’s date of birth, postcode or gender alone, this is usually not enough to conclusively identify someone. However, if you had all three, it might.
It’s worth adding that the number of categories involved is not the only factor to consider. Full names and job title can identify someone on their own, and with relatively little effort.
The key is that the easier it is to pinpoint an individual, the more likely they may be harmed.
- How sensitive the personal data is
The potential degree of harm is highly dependent on the nature of the information. Medical information, for instance, tends to be extremely sensitive – revealing that a person has a serious condition may well lead to bullying, damage their social standing or personal relationships.
However, even seemingly innocuous information such as place of birth or a mother’s maiden name can lead to identity theft if that information is used to authenticate to, for instance, an online banking account.
Addressing your security risks
For processing activities that the DPIA reveals a high level of risk, you must take steps to reduce it. You could do this by stopping that processing activity, but if you’ve shown that processing is necessary and proportionate, you’ll more likely want to implement technical and/or organisational measures to lower the risk.
Possible technical measures include anonymising or pseudonymising the data being processed, using a different technology to conduct the processing, or applying additional security controls (such as more granular access controls or providing secure paper shredding).
Technical measures will need to be backed with organisational ones, such as:
- Additional policies and procedures;
- Providing extra staff training;
- Reviewing privacy notices; and
- Updating contracts.
After deciding on the measures, you need to implement them and monitor their performance.
You then need to reassess the risks to ensure that they are now within acceptable levels, and make sure that you review them whenever changes are made to the processing activity.
GDPR compliance made simple
If you’re looking for more help meeting your data protection requirements, GPDR.co.uk is here to help.
Our GDPR for Schools compliance platform contains everything you need to shore up your defences and complete your documentation requirements.
This tool was developed by data protection and cyber security experts with more than 15 years’ data privacy and cyber security experience, and now comes with a free two-week trial.