The new GDPR regulations coming into force in May 2018 mean that the potential fines associated with data breaches or other leaks will be greater than those that exist under the current data protection act.
The new regulations also finally make third party vendors liable where their action or inaction result in the release or leak of data which they are processing on your behalf. This seems like a good thing in that if you use a third party and through no error of your own their use leads to the leak of data, they will be held responsible.
The issue here though is that the above is only part of the story. Although the third party vendor may be responsible for the breach it would have been your responsibility to confirm their compliance with GDPR and their security and other measures in relation to data prior to commissioning them to handle your data. Even although the breach or leak may have been due to the action or inaction of a third party you are going to have to prove that you showed due diligence in checking out the third party and its operations prior to signing them up to process, store or otherwise use your data. If you didn’t then you too may be found to be liable and therefore receive what could be a significant fine.
As schools a large number of third party sites are used in the delivery of the educational experience we provide the students under our care. This might be specific maths or science websites with sample questions or learning materials, or it might be more generic services such as Showbie or G-suite. In each case you will be providing personal info on your students, with some sites requiring more data than others. In each case you will need to prove that you undertake at least a basic review of the provision offered in relation to data safety and security by each site or service.
With this in mind the key questions I see the need to ask a third party are:
- Do you share my data or allow others to access my data? If so, with who and why?
- What security do you have in place (physical and logical) to protect my data?
- What disaster recovery and backup process do you have in place?
- How long do you retain data and what happens to data should I quit your service?
- Do I have the right to audit or request the audit of your data security provision?
As we approach the May implementation date for GDPR we need to ensure we have a better handle of where school data, that of students, staff, parents, visitors and other stakeholders, is stored. Part of this will involve identifying all third party vendors and asking them regarding their preparedness for GDPR.