ICO 12 Steps
1 - Awareness
You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
Classlist’s short guide can be used with your Committee Members, Class Reps and any others who handle personal data.
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
Most PTAs hold parent contact details supplied directly by parents so that you can communicate with them. Which is fine. If you pass this data in electronic format to any other organisations, which is quite likely (for example to organise events), please see the section on data processors below.
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
Classlist provides a Privacy Notice for use by PTAs with whom we work. This has been fully reviewed by a leading UK law firm who confirm it complies with the relevant GDPR requirements.
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
Where Classlist acts your data processor we enable you to satisfy any subject access requests which you may receive. We can also enable you to meet requirements for the new Right to be Forgotten.
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
Classlist has taken legal advice on this and the lawful basis for processing is clearly set out in the Privacy Notice which we provide.
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
If the personal data you use has been supplied as described at Step 2 above, and has been used regularly and recently for contacting parents, a refresh may not be required. Classlist’s sign up procedure takes care of the new consents which are needed, and records these. We also provide a notice for you to circulate in advance of launch of the Classlist system.
It is unlikely that you currently process very much child data. Classlist requires entry of child names by each parent and may verify these, but does not allow any child access to the system and does not child ages. Children over 12 have new rights regarding their data which parents should be aware of and are highlighted in our registration process.
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
Requirements here are onerous and can require reporting within 72 hours. Where Classlist acts as your data processor we have procedures in place to help you comply.
You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
Classlist can arrange training in Privacy Impact Assessments if required. Classlist’s system has been designed around the principles laid out by ICO.
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.