Checklist
The ICO has a comprehensive checklist as part of a self-assessment tool.
Checklist of areas likely to need work for GDPR compliance:
- Accountability - Do you have auditable proof that you are complying with GDPR eg signed consent forms? Do you regularly undertake checks for compliance?
- Breach Notification - Do you have a procedure in place that will allow you to report to the ICO within the 72hour deadline? Do your employees know it?
- Consent - Review where you ask for consents to make sure they are appropriate and recent.
- Contracts - Do you have written contracts in place with your data processors? Do contract clauses cover GDPR? Do you have processes in place for doing your due diligence prior to letting a contract and during the term of the contract?
- Data Protection Officer - Have you appointed a DPO who is appropriately trained and understands their role and responsibilities? Are your staff, governors and parents aware of the DPO and how to contact them?
- Mobile working / transportation of personal data - Do you have policies and procedures to protect personal data outside the school?
- Policies - Have you reviewed and revised your policies?
- Privacy by Design - Do you have processes in place to consider privacy before the start of any project or process change?
- Privacy Notice - Is your privacy notice clear about all processing of personal data undertaken? Do your forms (paper and electronic) tell people about why you are collecting personal data, what you will do with it and who you intend to share it with (eg with LBB for schools census)?
- Record of Processing Activities (ROPA) – Have you produced a ROPA showing all the activities you undertake using personal data?
- Security of electronic data – Are you confident your electronic data is secure eg encryption, password protocols, cloud storage?
- Subject Access Requests (SARs) – Do you have a process in place that tells people how to access their personal data? Are you ready for the shorter deadline? Are you aware of the enhanced Data Subject Rights within the GDPR?
- Training - Have you trained all your staff (including catering and facilities) recently so that they understand their responsibilities for processing personal data? Do you have an ongoing training plan in place?