GDPR Audit Case Study – Education

By Philip MatherCase Study

Case Study Background

There are many and varied educational establishments all of which carry a lot of personal data, the majority carry personal data for under 16’s and quite often cross into special category data for one reason or another. This GDPR Audit Case Study shows how we helped a school get on the path to GDPR compliance.

Many of these establishments have to comply with a range of legislative frameworks that can be on the surface in conflict with the GDPR.

Independent schools and academies might have a little leeway in respect of local authority control however there are no such advantages when it comes to personal data and all of the GDPR applies, unless of course overridden by other laws.

Our client is an independent preparatory school, medium size, a small online presence, students, staff, parents and some other small numbers of data subjects.

The school, teaches, runs clubs, organises trips, keeps registers, holds medical information and information about parents, uses IT and paper records and has above average IT systems and support. In this instance a knowledgeable compliance manager.

The Approach

The school approached GDPR Auditing after researching our services on our website and were impressed with the content and the experience of the consultants.

We spoke to the compliance manager and explained how the audit process works, and gathered enough information to provide a quote that was accepted.

GDPR Auditing sent out an audit initiation document, for the school to fill in, this document helps clarify the position of the school in various respects, IT systems, policies and procedures, responsibilities etc. and enables a schedule of interviews to be produced.

What we did

The scope of the audit was to assess the schools readiness with respect to the GDPR.

Following our audit methodology the consultants developed a comprehensive view of the schools day to day operational processes, from sales and marketing to admissions, students records, agreements and contracts, parental data, HR data, policies and processes, alignment with the DPA, secure collection and storage of all data types, and a detailed examination of all IT systems and practices.

We also covered all other back end processes including Accounts, Payroll, Pensions, and 3rd party data processors.

For all the above we considered what data was being collected, what information was being given to data subjects at the point of collection, the basis for collecting the data, whether it was necessary and what the consequences were of the data was not provided.

Consideration was given to the method of collecting the data, how it was stored, for how long and when it was destroyed. Also the processes in place for keeping data accurate, and what processes were in place for dealing with data subject requests..

We looked at how the school might detect data breaches and from there follow incident procedures and report up the ICO.

We took an action to write to the ICO in the form of prior consultant in order to clarify a conflict between safeguarding requirements the GDPR.

With unhindered access to all parties at the school and efficient streamlined organisation by the compliance manager, GDPR Auditing were able to complete the audit interviews in one visit over the proposed two day period, and came away with no unanswered questions.

Some of what we found

A lot of Good Practice

The school was up to date with current legislation and was not only aware of the Data Protection Act but was actively following the DPA rules and regulations in many areas.

All staff interviewed had a good understanding of the need for data privacy and confidentiality, as you would expect for an establishment responsible for children.

The IT systems were up to date, reasonably secure, and underpinned with some good policies and procedures, the outsourced IT provider was an asset to the security of the systems, which is so often not the case.

We found no areas of disregard for data privacy or the misuse of any personal data collected.

Some areas for Improvement

However as expected GDPR Auditing helped the school uncover several areas where improvements and enhancements could be made to meet the requirements of the GDPR.

Whilst the IT was very good there were still some areas where security could be improved.

A historical dependence on paper records may cause the school some resource problems if the GDPR brings about a step change in data subject access requests.

In addition paper records are potentially difficult to manage, keep secure and accurate.

Some data whilst collected legitimately is not used and could be removed.

A Data Protection Officer is required for this school (all schools) and the role should be performed to the standard set out in the GDPR.

What we delivered

  • A full audit of all school business processes where related to the GDPR.
  • A daily wrap up of key findings.
  • A summary of major findings delivered on site at the end of the audit.
  • A full Audit report delivered electronically, with overall status, executive summary, key findings, detailed findings with priority and recommendations for resolution, detailed write up of any special considerations.
  • A bound, hard copy of the full audit report.

Customer Feedback

Here are a couple of quotes from the compliance manager:

“you seem to have summed up everything about the ‘school’ , and everything we discussed, very aptly.”

“Thanks again to both of you for making the GDPR both interesting and seemingly achievable! We will be in touch.”

If you would like to know more about how GDPR Auditing can help your organisation with the GDPR please contact us at info@gdprauditing.com or visit our contacts page.

The information provided in this post is for general information only and is not intended to provide legal advice.

© GDPR Auditing 2017.