It’s all very well knowing that with all challenging projects you need to ‘eat the elephant one bite at a time’ but it’s still difficult knowing where to begin.
The GDPR is one such project, and brings with it problems not only of scale and scope, but of new legislation, conflicting advice and many, many ‘advisors’ keen to share their thoughts, mostly for a fee. or sell their products.
At the ISC Digital Strategy Conference in November 2017, a group of school bursars, IT managers and strategists gathered to discuss the GDPR in general and the impact it will have, and in more detail, how schools might approach the essential task of data mapping. We were guided by Stuart Abrahams from Think IT whose knowledgeable and pragmatic approach was helpful.
“My own school had already begun significant work on the GDPR and I sat in the meeting feeling reassured that we were on the right track. As well as drafting policies and privacy notices, we had already begun work on a broad records survey across the whole school. As the day progressed I began to see how the data mapping would fit with this records management work, and was eager to get back to work and start this next phase of the project. I could see how these two pieces of work would not only answer the need for an organisation to understand and account for the data it holds, but might also drive the process of developing procedures which would enable a path to compliance with the new law”
Rachel Evans – Alleyn’s School
What is certain though is that the data mapping process is a guide for so much more than straightforward compliance. It can really help your organisation’s thinking about how to turn your policies into procedures that will work.
At the heart of the GDPR are the rights of the individual, supported by the general principles. In short, as organisations we must:
- be clear about what data we collect, process and retain
- know why we have it and how we are processing it
- know where we are keeping it
- know who has access to it, and limit that where necessary
- know what we’re going to do when we’ve finished with it
- and keep it secure
Without this detailed information we can’t hope to comply with the general principles, let alone assess risk, conduct a DPIA (Data Protection Impact Assessment), answer a SAR or manage secure deletion or destruction. It doesn’t matter whether the data is on paper or a digital system, this detailed knowledge is essential. And of course, it needs to be evidenced.
I think schools are already well-placed to meet these requirements. Schools already have lots of systems and procedures in place. You are used to rules and hierarchies. and usually have excellent institutional memory. You can tap into our school culture to make this knowledge explicit in order to evidence compliance and guide future practice around data protection.
You need to reassure staff that this is not an impossible task or an alien and unnecessary concept.
Last year we’d formed a committee for oversight and decisions on GDPR matters. We then brought together a core group of four people with appropriate skills and knowledge (from the Bursary, IT and Archives in our case). We looked for a combination of seniority, excellent institutional knowledge, super administrative skills and some specialist knowledge if possible.