Looking for the sign in to use Connecting Steps?  Click here to access Connecting Steps.

B Squared Blog

rss

Keeping schools updated on the latest news and ideas. Read about our approach to assessment, what we are doing and why...


Yes, yet another blog about GDPR

It seems that the whole country has gone GDPR crazy. It was the dominating topic at BETT at the beginning of the year with new companies popping up to help schools comply with what is a complex and sometimes “open to interpretation” document. Let’s face it though, it is not the first-time schools have had to muddle their way through a document that can be read in different ways. There is a whole host of information out there on the General Data Protection Regulation (GDPR), with guidance on what companies should and should not be doing, mainly focusing on single aspects of this new regulation, but rarely covering the entire document and its implications. Some of this information has been contradictory or just plain wrong! If you haven’t already found it, the ICO website has some excellent guidance on what schools and companies should be doing to prepare for the GDPR.

What was B Squared’s approach to GDPR?

When I first made a start on our GDPR compliance work internally, it was really tempting to look at all the information that was out there. I realised pretty quickly that the infancy of the document (we looked at it early on) was creating confusion. In my experience, sometimes it is better to go to the source document itself and give it a good read through before seeking additional support. That is exactly what I did, I downloaded the document and spent some considerable time converting it into a usable word document with properly formatted headings, to ease navigation, as each section sent me careering backwards and forwards through the document. Whilst it is certainly not Tolstoy, it is actually a very interesting read. It seeks to deal with some of the most common issues that exist in the 21st century that ever-increasing storage capabilities and technologies brings. We can all sit and roll our eyes when we hear the dreaded GDPR acronym, but it comes from a good place and successful implementation will make our data far safer.

So how has the GDPR affected us you may ask? 

Well, as I read through it, overall, I found myself nodding along, thinking “excellent, good idea, that’s what we do”, and only occasionally making notes about things that we need to change, which are mainly around the fact that as a small company, we do not have the level of auditing and documentation that larger companies rely on because of the inherent complexities that arise when the number of staff increases. But the GDPR is fair in its expectations, the requirements relate to the size of the business rather than pressing for a “one size fits all” approach when it comes to these auditing processes.

So how do we fare in light of the GDPR in relation to the processing services we offer? 

The answer is, quite well. As an already security conscious company, I found that our own paranoia around security has fared well against these new requirements. What also helps tremendously is that our Managing Director Dale Pickles, who is also a techie at heart, understands very well the risks, which makes my job a lot easier as I don’t have to do the hard sell to him on the benefits of any particular strategy. In fact, Dale is always looking for safer and more secure ways of working with the products we sell. As a team, we work well in identifying risks early on and mitigating them before they become an issue, because our backgrounds, professional training and qualifications are all around provisioning networks and domains with the “path of least access” as a core principal.

What should schools be doing around the GDPR?

At this point, schools should be nearly done embedding the GDPR into all their practices, preparing for the May 25th deadline. Probably the most important document you need is your data flow map. The action of writing this document forces you to research, define and check every piece of data that goes in and out of your school and from this you can then assign the risk to the data involved. It is during this process that we should have popped up on your radar. Because we do some of the work for you and we hold and process your data, you need to check that we do things as well as you expect them to be done in your own school. The same can be said for every external system that you use.

What questions should you be asking of us?

We have put together a section on our support site which lists some commonly asked questions around our service to help schools ascertain our compliance. Being that there is no formal qualification or certification of GDPR compliance (yet), it is up to you to decide. Therefore transparency is important to us, and we are happy to give as much detail as is required as long as it doesn’t make our own security vulnerable (a key aspect of online security is obscuring your system as far as possible to deter attackers from launching system specific attacks). You can find information surrounding our GDPR compliance here https://support.connectingsteps.com/category/361-gdpr-information

What have we changed to be GDPR compliant?

We have distributed a contract addendum to all our customers for them to sign and return to ensure GDPR compliance for us and our schools. This brings the contract into line with the requirements under Article 28 specifically. From now on, we shall also include the relevant Article 6 clause within our email communications to help people understand how each communication is lawful and to generally be transparent in our approach.

Any questions?

I trust your school is well on the way to GDPR compliance. But if you have further questions for B Squared that are not answered there, please do email me at jon@bsquared.co.uk and I would be happy to respond.


Recent Posts

Read More »