As a controller, your school is responsible for the security and processing of all personal data you collect. This responsibility extends to the data you share with any third parties such as your suppliers. If one of your suppliers falls foul of the GDPR and the data you shared with them is compromised, the data protection authority may come knocking on your door. Although this may seem a little onerous, there is clear guidance on how to responsibly protect the data you share and how to legally protect yourselves.
There are two broad aspects to successfully managing third parties in compliance with the GDPR:
- keeping a detailed record of third parties you share personal data with and what data you have shared with them;
- reviewing third party suitability and your agreements with them.
Keeping detailed records
Being able to produce a record of these third parties, your agreements with them and details of the data you have shared with them will help you keep in line with the GDPR. You will also be in a position to easily comply with any requests from the data protection authority or from data subjects.
ARTICLE 15 The data subject has a right to know the third parties (e.g. 'Robert the Photographer') or categories of third parties (e.g 'Photographers') with which the data has been shared.
ARTICLE 16, ARTICLE 17 If the data subject has requested the rectification or erasure of their data, you have an obligation to inform third parties, with whom you've shared data with about this request and for them to comply.
ARTICLE 18, similar to Article 17, the data subject has the right to restrict processing under certain conditions.
ARTICLE 19 makes it clear that The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed.
Review your agreements and supplier suitability
Updating all your agreements with third parties you share personal data with to ensure each agreement binds the supplier to the conditions you are bound to with your data subjects. Updating agreements in this way assumes the third party can comply with all aspects of the GDPR. You should however look for other evidence that the third party is capable of complying with the GDPR.
According to ARTICLE 28, you have a responsibility to use only processors providing sufficient guarantees to implement appropriate technical and organisational measures.
The EU hasn't yet specified a GDPR certification but there are recognised security and privacy standards like ISO27001 that will likely be sufficient indicators that the third party can adequately protect your data. You can also put together a survey for each supplier to find out if they comply with the privacy measures laid out in the GDPR. If you are still unsure, you can approach your local Data Protection Authority and ask them for guidance.
What next?
Start by putting together a list of all suppliers, institutions or other third parties you might share you student, staff or parent personal data with, even if it's an email contact list. Categorise them and describe what data you send and why. Record the group of data subjects you have shared. (for example, grade 3 students 2017).
Record any evidence that your suppliers are sufficiently geared to protect your data. If you create a survey, ask what data security and privacy safeguard they have in place and if they have any data security certifications they can produce. Large suppliers and institutes generally have a section on their website with these details.
Also record what lawful basis you are sharing the data under. For example, you may have collected consent, as the lawful basis, for student annual photographs. You might use a school management system (like Myschool) stipulated in your contractual agreements with parents. In this case the lawful basis is 'necessary for the performance of a contract'.
Finally, record an expiry date after which the data should be deleted or returned. The third party you shared the data with should delete or return the data on the date you specify. They might do this on your instruction or on a pre-defined date.