9. Data Protection by Design and Default

As a school, we have assumed that you don’t develop your own IT systems. Data protection by design and default is all about systems are developed and about making sure that this is done in a way that is consistent with the principles of GDPR.

Template documentation is included in the full GDPR pack for those who choose to purchase it.

As a school, we have assumed that you don’t develop your own IT systems. Data protection by design and default is all about systems are developed and about making sure that this is done in a way that is consistent with the principles of GDPR. However, there are three things the school can do that will cover this off:

  • Ask IT suppliers to fill out a questionnaire that gives you some confidence that data protection by design and default was considered when the product was being developed. We have a questionnaire included for you in the SchoolsGDPR pack
  • Where you are asked to specify what you want an IT system to do, challenge if what you would like is consistent with all the other aspects of GDPR
  • Once the system is in place make sure that it is maintained, one of the biggest sources of data breaches are where systems are known to be vulnerable and fixes or patches are available, but these are not applied.

In addition to data protection by design and default, you also need to complete Data Protection Impact Assessments when you are making significant changes that impact the reasons, lawful basis or environment in which you are processing data.

It should be rare for you to need to complete your own DPIA. If there is a big change to the education system, it would be down to the local authorities or central government to complete the DPIA and you could rely on it.  Also, the GDPR allows for the ICO to provide a list of types of processing or operations that do not need a DPIA. This isn’t published yet, but we are hopeful that it will help schools when it is.

We have included in the SchoolsGDPR pack a decision tree to enable you decide if you need a DPIA and also guidance and templates to help you complete these if needed.

To achieve all of the above, the ICO recommends that you consult with children as appropriate when designing processes.

Previous Tutorial Next Tutorial

£395.00Add to cart

Home

View

1. Mobilisation & Awareness

View

2. Record of Processing Activity

View

3. Lawful Basis for Processing

View

4. Consent

View

5. Children

View

6. Communicating Privacy Information

View

7. Rights of the Individual

View

8. Breaches

View

10. DPO

View

11. Training

View

12. Sharing of Data

View

What's in the Schools GDPR pack?

Find out how Schools GDPR helps you