The bad news is GDPR compliance for anyone who holds personal data, commences on the 25th May 2018, and there is the potential for a 10 million euro fine for non compliance.
The good news is, that it is unlikely anyone will be fined immediately, as policy is still being formulated, so there is still time to ensure you are as compliant as possible. Other good news, is that if you are actively working towards complaince at any point, then this is looked on favourably if any breach does occur in the meantime.
"The more work a school does to be as compliant as possible and maintain on-going compliance the less likely it is that a breach will occur. In the event of a breach, the ICO are likely to look more favourably on a school that has taken their obligations under GDPR seriously and done all they can reasonably have been expected to do to protect the personal data of individuals."
We can help you with this, whilst you carry on educating, with our 4 stage ICT review. It maybe that you have most things covered? But has anyone checked? Do you have the relevant documentation to provide to the authorities to prove you are at least working towards compliance?
We can offer indpendent advice, and recommendations by completing any, or all of the following stages, with full clarity on required improvements via an easy to read report.
If you have a nominated data protection officer, we will work with them, with full transparency, and co-operation.
What we can do.
1) A review of your site, this would include a review of your physical network, servers, switches etc, and recommendations on any improvements required.This would also include your off site policies for laptops, and USB sticks etc
2) A review of your support arrangements, and methodology with your ICT support staff. This would include for example, status reports on where your backup's go? Or what anti virus or patching schedule you have? Or what are your Disaster recovery plans, if you get hacked?
3) A review of 3rd party/supplier documentation. New rules will insist that all agreements include the new updates for GDPR rules. Both parties need to be fully aware of each others roles, and responsibilities.
4) A review of staff and pupil polices and procedures, and more importantly their level of understanding of data and internet security, and what could be done to improve their knowledge.
If you read this, and are unsure of any of the answers, then there is still time to be ready.
Each stage would take between 1/2 to a full day, with a maximum of 2.5 days for the average sized Primary school, including a full report on each subject area + a general overview report. We could also present these reports to an SLT, or governors meeting by arrangement.
Call or mail us for a no obligation chat, and work out for yourself, if you need some help. If you do, then we are ready.