Knowing what personal data you have and what you are doing with it
  1. A records audit and retention schedule to know what you have got and what to do with it
    (sample spreadsheet Sample retention schedule.xlsx based on the IRMS Toolkit for Schools)
  2. Some record of your IT systems and how you are using them
    (sample spreadsheet Sample systems spreadsheet.xlsx or you can use a commercial system like GDPRiS, or you may already have a digital asset register in your IT Support department or Bursary)

This will help you begin to comply with the ICO requirements for documentation.

Dealing with data at the end of its working life (the records life cycle)
  1. A flowchart to help staff negotiate the retention schedule to take action at the end of the records lifecycle
  2. A form for staff to complete when they deal with a record at the end of its life
  3. Procedures for IT Support teams to following regarding the secure deletion of digital records.

Dealing with a data breach
  1. A form for staff to notify a data breach
  2. A flowchart for the DPO to use to take action in case of a data breach (ICO guidance and checklist here)

You should already have a process in place if you are compliant with the DPA1998 which you can adapt.

Dealing with a Subject Access Request
  1. A form for staff to notify that a Subject Access Request has been received
  2. A flowchart for the DPO to use to take action in fulfilling a SAR (ICO guidance and checklist here)

Dealing with new data collection or processing
  1. A form for staff to complete when they want to do new data processing
  2. A checklist for the DPO to risk assess new processing, including the need for a DPIA
  3. Guidance on where to document new processing (retention schedule and systems spreadsheet)
  4. A form for carrying out a DPIA (available on the ICO site within the Privacy Impact Assessments Code of Practice)

Steps 2-4 can also help with auditing existing practice to ensure compliance.

Rachel Evans (Head of Digital Strategy) Alleyn’s School