The GDPR one year on
Moving beyond baseline compliance
One year on from the introduction of the GDPR, Information Commissioner Elizabeth Denham stated in a blog:
The focus for the second year of the GDPR must be beyond baseline compliance – organisations need to shift their focus to accountability with a real evidenced understanding of the risks to individuals in the way they process data and how those risks should be mitigated.
Denham emphasised that organisations must move away from seeing GDPR compliance as a box-ticking exercise, with “strong accountability frameworks” as the key to achieving that.
Three steps your school can take to demonstrate accountability
The following activities evidence that you understand the risks involved with data processing, particularly to individuals, and that you are mitigating them. Doing so will also help you demonstrate accountability.
- Document data processing in a data map
Article 30 of the GDPR requires organisations that process personal data to maintain a record of their processing activities and the supervisory authority can ask to see this. Documenting how personal data flows into and out of your organisations in a data map provides an overview and allows unnecessary processes to be eliminated and inefficient ones to be improved. Update the map whenever new systems, processes or technologies are introduced. If you haven’t yet mapped your school’s data, start with special category data as this warrants greater protection and then general personal data. Involve other staff to identify how data flows once it is in their care and the risks in how they are processing it. - Make DPIAs part of project planning when considering new systems
Where a processing activity or project may pose a high risk to individuals, you must conduct a DPIA (data protection impact assessment). This is especially important at an early stage of a new project, when it is easier and cheaper to still make changes to mitigate the risk. Involve your DPO (data protection officer) as soon as possible, and focus on the risks to the individuals, not the organisation or how important the project is. If the risk is still high after conducting the DPIA, you must consult the ICO (Information Commissioner’s Office) before starting the processing.
A DPIA is probably necessary when, for example, introducing a new MIS, payroll provider, IT support company or process that involves special category data. If you are unsure whether a DPIA is required, speak to your DPO or ask a basic set of questions first and if the project looks as though it could be high risk, the conduct the full assessment. - Don’t see data protection as an afterthought
Data protection should be part of everyday conversation and planning, not an afterthought. The GDPR refers to this as ‘data protection by design and by default’ – organisations must integrate data protection into processing activities and practices, and consider what safeguards are necessary from the planning stages onwards. DPIAs and data flow maps are important parts of data protection by design and by default, as is an ongoing staff training and awareness programme rather than reactionary training when things go wrong.
How GDPR.co.uk supports your accountability and evidences your understanding
GDPR.co.uk includes data mapping, staff training and DPIA sections that demonstrate your approach to data protection by design.
