DRAFT: TASIS GDPR FAQs
on the best solutions specific to us to reduce the risk of breach. This also demonstrates our serious intention to ensure data protection.
If there is a breach relating to data, presumably I will have to report it once this has been fully investigated?
No – the GDPR imposes a new mandatory breach reporting requirement and we will have to notify any possible breaches within 72 hours, whether the investigation is complete or not.
You must, however, report any suspected data breach within the School without delay, please refer to our Data Breach procedure.
Not all breaches will need to be further reported to the Supervisory Authority (ICO), subject to our rapid determination of severity and risk.
As long as I comply with the new regulation, if there is a deliberate breach by an employee the School will surely be okay?
No. For example, in a recent case involving Morrisons, they were held to be vicariously liable for the actions of a disgruntled employee who leaked the details of 100,000 employees. The case is under appeal but if the appeal fails, Morrisons could be at risk of a significant fine.
If you have any doubts or are unsure about what to when you suspect a breach then please report it to us immediately, so that we can make the necessary determinations and take most appropriate actions.
How will personal data breach reporting work in practice?
Under GDPR the reporting of personal data breaches becomes a requirement where it is likely to result in a risk to the rights and freedoms of individuals. In some cases this will also mean that we will also have to inform the affected individuals. Refer to our Data Breach procedure for more information.
What changes are there to the way we handle Subject Access Requests (SAR)?
The biggest change is the removal of the subject access fee. We will also have less time to comply with a subject access request (30 calendar days versus 40). Please refer to our Data Protection Policy for further information about handing SARs.
The 15 school-day period to respond to educational records remains unchanged.
Do we need to carry out Data Protection impact Assessments (DPIA) and what do they involve?
We have carried out a review of our existing processes and are acting accordingly. Going forward we must carry out DPIAs if our processing activities present high risks to the rights and freedoms of individuals. These assessments generally involve identifying and documenting privacy risks by