GDPR Top Tips

Are your data processors (e.g. Schools’ Personnel Service) GDPR compliant?

This isn’t the legal definition, but things you may want to consider as part of your compliance under GDPR...

Here are a couple of questions you may want to ask them:

  • What information is being collected?
  • Who is it collecting it?
  • How is it collected?
  • Why is it being collected?
  • How will it be used?
  • Who will it be shared with?
  • How long are they keeping your data for?
  • Are they protecting your data and how?
  • How often is the data backed up?
  • How is your data being cleansed?
  • Consider what data processing services will be provided?

When do you need to seek consent?

The need for consent has been significantly strengthened under GDPR.

Previously you were allowed to rely on implicit or ‘opt-out’ consent in some circumstances, the GDPR now requires a very clear and specific statement of what the subject is consenting to.

Use this checklist provided by the ICO when seeking consent:

We have checked that consent is the most appropriate lawful basis for processing.
We ask people to positively opt in.
We don’t use pre-ticked boxes or any other type of default consent.
We use clear, plain language that is easy to understand.
We specify why we want the data and what we’re going to do with it.
We give individual (‘granular’) options to consent separately to different purposes and types of processing.
We name our organisation and any third-party controllers who will be relying on the consent.
We tell individuals they can withdraw their consent.
We ensure that individuals can refuse to consent without detriment.
We avoid making consent a precondition of a service.
If we offer online services directly to children, we only seek consent if we have age-verification measures (and parental-consent measures for younger children) in place.

Privacy Notice

“Being transparent by providing a privacy notice is an important part of fair processing. You can’t be fair if you are not being honest and open about who you are and what you are going to do with the personal data you collect.” – ICO

Have you ensured that your Privacy Notice is version controlled?

We have created a template privacy notice that is GDPR complaint, you can find it here in our free GDPR resources