How to prepare for GDPR

New regulations are moving in quickly and will be in place from 25th May. GDPR can be complicated, but it doesn’t need to worry you. Preparation is very important, so if your establishment hasn’t begun its planning yet – make a start today. Here we discuss how you can prepare your establishment for the changes…

1. Dedicate time to prepare for GDPR
It could be a large project which will be dependent on many factors, give it the time it deserves.

2. Create applicable checklists
Research GDPR and its rules thoroughly and then make a checklist that applies to your establishment, work through it methodically.

3. Create a reference log of all the new policies and procedures
Keep a master list of all the new rules attached to your GDPR project, staff will need a consistent set to refer to as they work through the checklist.

4 Make sure you find and secure critical data
Make sure you have the tools needed to find out where your establishment’s most important data is stored, take measures to secure it.

5. Find a data protection officer
Somebody needs to take this role, at least for the transition period as GDPR comes in. Get buy-in from the SLT and governors to make sure this is taken care of, it will make the whole process a lot simpler when you have a single point of contact.

6. Create staff GDPR champions
Get buy-in from staff too, try to get some go-to members who can answer any questions on GDPR, share the responsibility. This team can be put in place by your data protection officer.

7. Find ALL files that contain personal data
Immediately. This includes paper and digital forms of data, store it and compile it in order so you know where it can be accessed. It will be easier to decide policies for data storage on the back of this early organisation. A software/IT audit may be useful to identify any non-standard apps or programmes being used across the establishment.

8. Plan the project
You may need technical or IT assistance for this i.e. systems to manage consent/data or even security systems for identifying data breaches. Make sure they are fully onboard with the GDPR changes at the early stages, document a project plan and give it visibility.

9. Plan for procedure
There will be new procedures required under GDPR, create them with detail and implement new strategies for dealing with them. Try to think of as many “what if?” scenarios as possible then come up with procedure on the back of them e.g. “what if a USB stick is left in an unattended computer?” or “what if a parent calls in asking about the data we hold on their child?”

10. Keep comprehensive data trail evidence
Make sure this covers everything, so you can provide a detailed record of compliance activity surrounding your data.

11. Get advice
Ask other schools, consult the GDPR website or the Information Commissioner’s Office. If you’re unsure of anything surrounding GDPR then seek help and don’t sit on it! Post questions on social media, there will be plenty of discussion surrounding the topic.

12. Hold regular GDPR meetings
Outline your staff’s roles in relation to GDPR and how it affects everyone involved, always keep up with training, it will be a constantly moving piece that will not go away! 

Keep on top of it once you’ve started your GDPR journey…
As GDPR requirements will be ongoing, it makes sense for schools to learn to be largely self-sufficient, so speaking to organisations that provide tools to allow them to do this will mean the process can be much more sustainable for you in the future.

If you need any advice on how GDPR will affect your establishment, you can find out more from the Information Commissioner’s Office.