GDPR and third party sites

The new GDPR regulations coming into force in May 2018 mean that the potential fines associated with data breaches or other leaks will be greater than those that exist under the current data protection act.

The new regulations also finally make third party vendors liable where their action or inaction result in the release or leak of data which they are processing on your behalf.   This seems like a good thing in that if you use a third party and through no error of your own their use leads to the leak of data, they will be held responsible.

The issue here though is that the above is only part of the story.     Although the third party vendor may be responsible for the breach it would have been your responsibility to confirm their compliance with GDPR and their security and other measures in relation to data prior to commissioning them to handle your data.       Even although the breach or leak may have been due to the action or inaction of a third party you are going to have to prove that you showed due diligence in checking out the third party and its operations prior to signing them up to process, store or otherwise use your data.   If you didn’t then you too may be found to be liable and therefore receive what could be a significant fine.

As schools a large number of third party sites are used in the delivery of the educational experience we provide the students under our care.    This might be specific maths or science websites with sample questions or learning materials, or it might be more generic services such as Showbie or G-suite.   In each case you will be providing personal info on your students, with some sites requiring more data than others.    In each case you will need to prove that you undertake at least a basic review of the provision offered in relation to data safety and security by each site or service.

With this in mind the key questions I see the need to ask a third party are:

  • Do you share my data or allow others to access my data?  If so, with who and why?
  • What security do you have in place (physical and logical) to protect my data?
  • What disaster recovery and backup process do you have in place?
  • How long do you retain data and what happens to data should I quit your service?
  • Do I have the right to audit or request the audit of your data security provision?

As we approach the May implementation date for GDPR we need to ensure we have a better handle of where school data, that of students, staff, parents, visitors and other stakeholders, is stored.    Part of this will involve identifying all third party vendors and asking them regarding their preparedness for GDPR.

 

Advertisements

Author: garyhenderson2014

Gary Henderson is currently the Director of IT in an Independent school in the UK. Prior to this he worked as the Head of Learning Technologies working with public and private schools across the Middle East. This includes leading the planning and development of IT within a number of new schools opening in the UAE. As a trained teacher with over 15 years working in education his experience includes UK state secondary schools, further education and higher education, as well as experience of various international schools teaching various curricula. This has led him to present at a number of educational conferences in the Middle East. In addition Gary is a Google and Microsoft Certified Educator.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s