With the onset of GDPR [General Data Protection Regulation] in May 2018, data protection requirements for schools - indeed, most organisations - will become more stringent. Schools will become aware of the requirements if they are not already, because the responsibilities placed upon on them relating to their data will be two-fold and include onerous tasks:
(i) as a data controller (where schools gather and maintain personal data), schools must comply with rules concerning consent, access, transferability and retention.
(ii) as a data processor [where schools hold data on their own servers] schools must ensure that high level cyber security, physical hardware security, strict backup regimes, firewalls and auditing are in place. Data processors have responsibility for monitoring the access to the physical equipment on which the data sits, and the route the data takes to be processed. A good way of doing this is to produce an access control policy, which clearly sets out roles and rights of staff members, only allowing staff with sufficient rights the ability to access system.
With regards to (ii), what can schools do? They can either remain a full data processor - with the burdensome responsibilities that come with that – or (a) outsource their IT to a cloud services company or (b) go down the hybrid route by outsourcing some of their IT to an IT services provider.
An example of (a) is a hosted desktop provider that is accredited under ISO 27001. As the international gold standard in information security management, ISO 27001 should be of help to accredited providers when they are putting policies and procedures in place to cover the requirements of a data processor under GDPR, however one must note that although ISO 27001 might be a good indication of a providers awareness of data protection issues, ISO 27001 and GDPR are two separate requirements.
Regarding (b) - hybrid solutions, whereby an external IT company manages in-house equipment, can work, but in such instances one needs to be particularly careful to use a very reputable IT company. For a hybrid IT solution, using the wrong kind of support company may hinder rather than help, as described in the following:
- the data storage is remote but the processing local [i.e. on the school’s own servers]. In this case, the school will still be considered a processor.
- the school employs an IT provider to manage the servers, but the servers are owned by the school. In this case the school will still have the responsibilities of a processor. The school is always the controller, however, when it comes to processing responsibilities, the burden of compliance will fall somewhere between the school and its IT provider. A school must ensure that it works very closely with its IT provider when setting out the GDPR processing responsibilities, because each party will require joint access policies, joint security policies and so on.
Using the cloud computing option can provide other advantages over a hybrid solution. For example, security tools previously only affordable by large organisations [public or private] become more affordable because the costs are shared among users of the provider’s secure data centre. The services include robust firewalls, enterprise quality antivirus and web filtering, optional encryption of sent emails and management of all access devices [smartphones/tablets/laptops/desktops or thin clients] used by staff and, in the case of schools, by pupils/students.
Outsourcing the storage, backups, security and processing of data to a provider that complies with strict data protection regulations will ease a school’s processing responsibility. The bulk of a schools responsibility under GDPR’s data processor requirements can be safely left in the hands of the professionals at the cloud computing provider. However, schools might still have a responsibility as a processor, through ensuring that paper or digital copies of data aren’t left lying around and that staff are given adequate training and authorisation to manage the strict processes needed to comply with the new regulations.
To conclude, outsourcing the IT to the cloud will help meet GDPR compliance while greatly simplifying the GDPR management process. A hybrid solution can also become GDPR compliant, but schools must be extremely diligent as to which IT vendor they choose as a partner to ensure that nothing is falling between the proverbial cracks. ISO 27001 should be viewed as an essential accreditation in whichever route is taken - cloud services or IT vendor.