There are five key areas of risk for trusts:
These areas are largely linked so a risk mitigated in one area can go a long way to guard against risks in another.
Perhaps one of the most striking differences between the GDPR and the current Data Protection Act (DPA) is that compliance with the legislation will not be enough. You will also be expected to 'demonstrate' your compliance and show that data protection and information security are built into your practices. Some key mechanisms for demonstrating compliance include:
having a record of processing activities which is required by the GDPR
recording any consents received (although your trust will only rely on consent in limited circumstances)
implementing robust data protection policies and training for staff
making data protection and privacy considerations integral to any decision involving the handling of personal data and documenting this (privacy by design and privacy by default) and
carrying out Data Protection Impact Assessments before starting to use personal data in a 'high risk' way
Your trust should have robust measures in place to keep personal data secure. Having staff training and policies, considering data protection when taking decisions involving personal data and carrying out Data Protection Impact Assessments are essential for keeping personal data secure. Your IT team should put in place technical measures to guard against risks.
Certain data breaches must be reported to the Information Commissioner's Office and to affected individuals. Having a data breach policy and procedure to be followed in the event of a breach or suspected breach is highly recommended.
Under the DPA individuals must be given information about how your trust uses their personal data. This information is usually provided in a document known as a privacy or transparency notice. More information must be provided in these notices under the GDPR compared to the DPA. Clear and plain language should be used, especially where addressed to children (as will be the case for most trusts' pupil privacy notices). We have updated our template privacy notices for staff, parents and pupils in light of the GDPR.
Data Subject Rights
Individuals are given stronger and additional rights under the GDPR. New rights include the right to data portability and the right to be forgotten. Subject access requests will also be more onerous to respond to, for example, because the time period for responding is one month in most cases and additional information must be provided such as the right to lodge a complaint with the ICO.
Staff should be trained to recognise when a right is being exercised due to the strict timescales for compliance. Your trust should be able to locate personal information easily in response to subject access requests and data portability requests.
Marketing and Fundraising
Marketing and fundraising communications are subject to their own special rules. In particular, consent must be obtained before sending certain communications by electronic means eg. by emails. With the more restrictive definition of consent introduced under the GDPR, you will need to check that any consents being relied on meet the more onerous requirements.
Where Do I Start?
A first step should always be to carry out an audit on the personal data held by the trust. This should enable the trust to have a firm grasp on its different data flows so that it can begin to tackle the areas outlined above. We have a free template which trusts can use as a starting point for the audit process.
If you would like a copy of the template audit or if you would like to discuss how VWV can assist with your preparations for the GDPR, please contact Andrew Gallie on 0117 314 5623 or Claire Hall on 0117 314 5279.