Anyone who dreams of a paperless society would probably weep if they saw the behind-the-scenes records of the average school or college. The implementation of GDPR earlier this year highlighted the struggles faced by schools, which need to ensure a high level of data security while staying within their (often tight) budgets. Even though GDPR has raise the bar on data security, the good news is that GDPR compliance can normally be achieved without too much effort or expense. Here is some advice to help you on your way.
Clear out the old properly
The average school or college tends to be a place where people have an awful lot to do and very little time or money with which to do it. Therefore it’s entirely understandable that people let irrelevant “stuff” accumulate. Unfortunately, that “stuff” can be a security hazard, even if it doesn’t seem that way.
Old computers, stuck into cupboards as spares or for parts, will probably still have their hard drives. Do you know what’s on them? Unless you are sure that they are clean of all personal data, it’s time to get rid of them (or at least the hard drives) and you can’t just dump them into regular waste. Leaving aside environment concerns, you cannot risk a hard drive being recovered and read (however unlikely that may seem). You need to use a proper shredding service.
Similar comments apply to other IT equipment, unless you are 100% sure that it has never contained any personal data which could be accessed by an IT-literate person, then you need to hand it over to a university document shredding company.
Last but by no means least, if you still have piles of old paperwork waiting to be dealt with, then it’s time to deal with it. Your priority should be student records, staff records and financial records. Even though it can be difficult to decide how long some records need to be kept, the decision does have to be taken (and the result of it could be a whole lot of extra storage space for your school or college). Once you have identified what needs to go, handing it over for professional document shredding not only saves you (and your staff) a job, it ensures that the job is done properly and gives you a record of its having been done.
Undertake regular data cleansing to keep up the good work
Spectacular transformations can make for great TV, but in reality, they’re usually massively disruptive (even if in a good way), hence tackling tasks “little and often” is generally much to be preferred. The keys to successful GDPR implementation are as follows:
- Collect only what you need
- Keep it only for as long as you need it
- Know where it is kept
- Know who has access to it
- Have a process for deleting it completely when it is no longer needed
Unfortunately for schools and colleges they often have a legitimate need to collect a substantial quantity of personal data, which is why the last three points are so important. Points three and four are generally a matter for school/college staff, but it is usually best to have experts manage the disposal of expired data.