At Data Protection Education, we are carrying out an ongoing project on assessing potential organisations that our schools are either currently contracted with to supply a product or service, or may in the future be in contract with.
This project involves us asking them to fill out a questionnaire which details some basic information about the organisations, as well as the types of data they process, how it is stored and the security measures they implement to protect that data. All of this is to ascertain whether or not they are GDPR compliant which, if you are a data controller, is your responsibility to ensure is the case when sending any organisation personal data that they will process.
It’s important to understand the differences between a Data Controller and a Data Processor. If your school decides the manner and purpose of how personal data is collected and used under the UK GDPR, then you are a Data Controller. In contrast, any organisation or individual that processes data on behalf of a data controller, then they are a Data Processor. For schools, a data processor is a third party supplier with access to your schools’ personal data- for example IT providers, caterers, cleaners, teaching and learning portals and outsourced payroll providers. Therefore as a school, when you are contracting with a supplier, it is your responsibility to ensure that when they are processing personal data on your behalf, they are doing so in line with GDPR.
As it is the Data Controller’s responsibility to ensure that the suppliers they send personal data to is being processed in accordance with UK GDPR, as a school you may face potential claims for compensation from affected parties should you contract with a data processor who does not comply with the GDPR. Your school could also face enforcement action and potential fines from the ICO. It is therefore important that you undertake the necessary checks when in the process of contracting with suppliers.
As a data controller, the GDPR places an obligation on your school to only use data processors (suppliers) who can provide you with sufficient guarantees that they have appropriate technical and organisational security measures in place that meet the requirements of the GDPR. In addition to this, you are also required to put in place a service level agreement/ written contract with all of your data processors. These agreements/contracts should fulfil certain requirements set out in the GDPR.
Taking all of the above into account, if you are looking to engage with a new third-party supplier, we would recommend that you take the following steps:
- Ask the supplier to complete a GDPR Due Diligence Questionnaire so that the School’s DPO can assess the supplier’s level of GDPR compliance. You can find this Questionnaire here- document Supplier Due Diligence Form (51 KB)
- Review the terms of your proposed contract / SLA to see whether it contains clauses which cover off those as required by the GDPR. If it doesn’t you will have to request that the supplier amend the contract / agreement so that it complies with the GDPR.