As you work your way through the school data audit process, mapping your data flow becomes a key element of establishing exactly where your school currently sits ahead of the GDPR deadline. There’s a lot to unpack at first, but it is always worth remembering that having a full understanding of your data flows with strong policies in place to protect it will make life much easier in the long run – GDPR or not!
A data map is fairly a simple concept. Essentially, you sit down and work out the full life cycle of your data from the time you collect it right through to when you eventually destroy it. Along the way, you need to establish exactly:
- How the data enters your school
- Who has access to it
- Where it is held
- How long it is held for
- Whether it is transferred to or from third parties
As the name ‘data mapping’ suggests, as you go through this information you can literally ‘map’ it out on in a spreadsheet or document and start giving yourself a feel for where everything is and where it is going. What sort of data? The video below is the perfect starting point for recognising the wide range of information that comes into your school, where it comes from and where it goes.
Once you have the data mapped, you can start tagging it with key information such as the legal grounds for collection, sensitivity ratings, whether or not the data is shared and where the data is physically located. The map will start to show clear patterns in the data flow of your school and give you a much better overview of any gaps in compliance. Having all of this information written down is in itself a form of compliance – if the DPO questions your processes, a data map will go a long way to showing that you’ve properly thought through the data security process.
Where to begin - templates and guidance
If you’re still unsure on where to start with your data maps, The Department for Education’s Data Protection Toolkit for Schools has a wide range of templates, case studies and videos to help you get started. It also includes examples of ways you may be able to justify the data you keep, which is a legal requirement under the new rules.
The DfE guidance is the perfect companion to our own GDPR for Schools ebook which thoroughly explains the background and justification for the new rules, along with the 12 steps you need to follow to be GDPR compliant.
GDPRiS
GDPRiS has comprehensive data maps for over 500 educational suppliers, with more coming in each week. This information has been produced in line with ICO guidelines and the forthcoming DfE GDPR toolkit and will go a long way to cutting numerous hours out of your GDPR compliance process.