GDPR: Bringing GDPR audits to life: utilising practical key tips and support
GDPR: Bringing GDPR audits to life: utilising practical key tips and support
Audits get mixed reactions - you either love them or you hate them. But they are necessary, to grow and understand where to focus our attention for the new school year. That is why this sofa session is focused on how to eliminate pre-audit reservations and benefit from the experience.
Audits: Even the word is a little scary! Why do you even do them?
The primary purpose of the audit is to see how things are at the present time and work out where any weak points and areas of risk may be.
Your DPO can then put a plan together to plug the gaps. Don’t think in terms of Ofsted or a finance audit – a DPO, although impartial, should work with you to achieve improved compliance.
The DPO will help:
- Set obtainable targets
- Look at what you’re doing and put a GDPR framework around your existing practices.
- Offer ways to improve within reasonable time frames dependent on the changes being implemented.
But the key point to take away from an audit is that a DPO is not there to beat you up.Don’t forget too, you are not the experts. That’s the role of DPO.
An effective audit covers two key elements:
1. The accountability principle, which states schools (as the data controller) are responsible for complying with GDPR.
It’s the DPO’s job to monitor compliance and advise you on all things data protection. The audit helps gather the details DPOs need while also providing the evidence you may need later if anything ever goes wrong.
It should be a positive and informative experience!
But schools are so busy! Aren’t you adding to school workload just to tick a box as DPO?
It is always difficult to see the audit as more than a tick box exercise. However, if you can set some time aside for an audit, the potential savings are huge! Most DPOs will work with whatever you can offer, whether that’s thirty minutes or a few hours.
Ultimately, any personal data you process has an owner who has rights to know what you are doing with it! This stands for both children and adults.
If there are any issues, any of those owners can report you to the ICO, who will then look to your DPO directly.
By having an audit report with the action plan attached, your DPO can support you through any investigation by having an excellent body of evidence of knowledge of gaps and a plan to fill them.
Think of it as assessment data informing your future teaching plans! The audit illustrates where you need to go next and identifies a pathway to improving. You wouldn’t start teaching a child to use a semi-colon if they still can’t use full stops.
As a direct impact of an audit, your DPO can help you prioritise and set a plan of action. If then any issues do arise, it’s not because you were totally unprepared and had no idea of the risks.
An ICO investigation requires far more time than an audit.
Evidence of good data practices and the guidance of your DPO will also help you when you receive a data request – saving you hours of painful collating and redacting of data before sharing.
If schools can set aside the time, what is the best advice on what to do beforehand?
DPOs can work with whatever is presented to them. There are no hard and firm rules, and every DPO will have a different method.
Ultimately, all DPOs need to look at and review the same things, but the primary aim is to make things better.
Before every audit, the DPO will investigate your systems. These include your website, seeing what processes are already in place, reviewing current policies you have and starting to think of a plan.
The DPO will have a good idea prior to the audit and will have questions based on details already known.
The key is to be open and honest.
If you have nothing, say so. If the very thought of data protection fills you with fear, say so. If you feel you have everything sorted, equally, say so.
Any audit will review:
- Policies – the key data protection, data breach, data retention and data request details
- Are they up to date?
- Are they correct?
- Are they easily accessible?
- Are they publicised?
- Privacy notices
- Do you have them and how do you make people aware of them?
- When was your last session?
- Who has been trained?
- What training do you do?
- Are you keeping records?
- Current trends/risks
- Cyber security, social media, remote working, covid testing data
Some examples of areas to focus on include:
- Sample template employment contract
- Data protection policy
- Other data related policies
- Access to a sample personnel file
- Your privacy notice(s)
- Email systems
- Any data impact assessments
- Details of portable media devices
- Training records for data protection and data related purposes
- Details of any third party organisations who process data on behalf of the School
During a site visit, the DPO will look around and gauge the situation. If lots of paperwork is lying around, data is displayed on walls and there are unlocked cabinets or keys in locks, these might be a red flag. That doesn’t mean you can’t do any of that, it means you’ll be asked about it.
Your DPO will document and report on everything they find. The report is your evidence of accountability. It can be circulated amongst the governing body to inform their oversight function.
Conflict of Interest
A DPO always reports to a high-level contact in school, such as the Headteacher, member of SLT.
It is important that your DPO is completely impartial and can act without conflict of interest.
If employed within school, can your DPO broach difficult conversations with higher management within the school without fear of repercussions?
If not, then your DPO may not be able to fulfil their duties to the school.
DPOs don’t have any authority as such and can’t force anything to be done. That’s why the focus is on advice and manageable change.
You can ignore everything but then you open yourself up to the risk.
If schools don’t carry out enough preparation, will the DPO just find lots of gaps causing the school to get into trouble?
Most importantly a good DPO is not looking to catch you out!
Simply by turning up for the audit, schools are in a much better position than before. The aim isn’t to add to an exhaustive list of things schools must do already.
The goal is to work out what needs to be on the list and support the school in doing as much as they can to fill the gaps.
Schools are experts in many things, while data protection is a DPOs only expertise.DPOs research, prepare and produce as much as they can to leave schools with as little to do as possible. Generally, this is just adding the school’s specific details, but you’re not expected to do this on your own. DPOs produce guides and can be available to book calls and/or visits to cover even more.
After the audit, do schools get a certificate of compliance or something similar?
The short answer is No.
There is no end game with compliance so it can’t just be signed off or marked as done.
The best advice is USE YOUR DPO.
Key terms to take away are evidence and justification.
Since 2018, it is no longer acceptable to simply say, “Yes, we’re compliant.”
You always need the evidence to back this claim up.
Get as much information as you can to your DPO as soon as possible and let them deal with it. They will ask you for further information if needed.
In general, schools are great at linking data/child/safeguarding. However, it is providing the evidence where things can take a turn.
Often, we find action seems to be done because it feels right rather than because it complies with data protection legislation. It is this connection that the DPO will build for you.
And it all starts with an audit…
As part of Judicium’s School Data Protection Officer Service, we offer a designated, expert DPO to manage your account and data protection. They advise through reports, provide information sheets and offer GDPR training for all employees. And most importantly, they are only a call away for extra support. If you would like more information of how we can support you, please see details of the service below.