A key part of this is assessing the data protection risks raised by your school's handling of personal data and carrying out a Data Protection Impact Assessment (DPIA) - also known as Privacy Impact Assessments - when required.
DPIAs are not entirely new because they are currently best practice before starting particularly high risk types of processing, eg before introducing CCTV cameras. However, it would not be unusual if your school has never undertaken a DPIA before, because they are not currently mandatory.
Under the GDPR you must assess the data protection risks relevant to your school's activities in order to determine the appropriate measures to put in place to be data protection compliant. Where the processing of personal data will result in a high risk to the rights of individuals your school must carry out a DPIA.
There are four essential stages to a DPIA:
The European Union Article 29 Working Party's guidelines set out criteria to consider when assessing if a processing activity should be considered 'high risk'. The criteria include:
the use of special category personal data (eg medical)
using the personal data of vulnerable individuals (eg children)
systematic monitoring (eg the use of CCTV)
As a general guide if two criteria are met then the activity is likely to constitute a high risk to the rights of individuals and thus require a DPIA.
When conducting a DPIA your school should involve the relevant staff (e.g. HR director, IT director) and consult with the affected individuals (e.g. staff, parents and pupils).
DPIAs will need to be frequently reviewed and kept updated. For example, the activity which is subject to the DPIA may slightly change and present new risks as a result. Your school will also need to review all uses of personal data on a regular basis to check whether any activity has started to present high risks to individuals and therefore requires a DPIA.
The EU Article 29 Working Party's guidelines on DPIAs is just one example of the guidance which is being developed by regulators in the run up to May 2018. To give schools peace of mind that they are up to date with the latest developments in data protection law, we have developed a data protection module of our Compliance Toolkit. This is a monthly updating service which lets schools know about the latest developments and how they impact on the school compliance framework.