.png)
Unpacking Personal Data under the GDPR
The GDPR defines personal data as: "... any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;" Article 5 Principles relating to processing of personal data To be clear, the 'data' element of 'personal data' refers to recorded information that is, or is intended, to be stored and processed electronically as part of a filing system.
The GDPR and school suppliers
As a controller, your school is responsible for the security and processing of all personal data you collect. This responsibility extends to the data you share with any third parties such as your suppliers. If one of your suppliers falls foul of the GDPR and the data you shared with them is compromised, the data protection authority may come knocking on your door. Although this may seem a little onerous, there is clear guidance on how to responsibly protect the data you share and how to legally protect yourselves.