Quick Quiz

How good is your data protection policy now?

Take our 30 second test and generate a report that will give you an overview of some of the actions you need to take to improve your data security policies:

Do you have a security and data protection policy?

Are you aware of the significant changes to data protection laws in the UK under the General Data Protection regulation from May 2018?

Do you have; a Data Protection Officer (DPO), training programme and regular reviews?

Have you audited the personal data you store? Do you know what personal data you hold, where it is, why you hold it, who has access to it, and who you share it with?

Do all users receive regular security and data protection training including the benefits of data protection impact assessment?

If you need to rely on consent as the legal basis for processing, have you considered the lawful basis for each processing activity (including collection of) personal data, including data sharing with 3rd parties?

Have you established a record of consent and taken steps to ensure that, where relevant, consent is obtained directly from the child with effect from May 2018?

Are you using a correct and up-to-date privacy notice to inform data subjects of their rights?

Do you have a clear procedure for responding to a data security incident?

Do you have an asset register and are all devices that are used to process personal data securely configured?

Do you have; active filtering, a monitoring system, anti-virus and anti-malware protection?

Do you have an up to data "best practice" password policy and do you enforce your password policy?

Do you encrypt mobile devices?

Do your remote or home-working policies make provisions to protect personal data?

Your Quickstart Report

From your quickstart questions, your actions to become more secure are:
Question Your Response How can 360data Help?
Do you have a security and data protection policy?
Yes - Well done. Make sure it is well communicated to your employees including any temporary staff or supply teachers. 
No - You should adopt a data protection policy and then communicate it clearly to your employees including any temporary staff or supply teachers.
Template policies written by Charles Russell Speechlys LLP, a leading data protection law firm are included in the tool.
Are you aware of the significant changes to data protection laws in the UK under the General Data Protection regulation from May 2018?
Yes - Good news! What actions have you undertaken since you found out? Have you audited your data storage locations and informed all of your staff about the changes?
No - This is the most important shake-up of data protection laws across Europe since 1998. Our tool can help you get to grips with the important changes.
Our tool has been written by experts, reviewed by a wide range of experienced professionals in the education technology field and with legal experts. We’ll guide you through data protection and help support your organisation become better at processing data.
Do you have; a Data Protection Officer (DPO), training programme and regular reviews?
Yes - It’s good to have an existing DPO, they’ll know your systems. But have you ensured that your current DPO is up to speed with the GDPR and has ‘expert knowledge of data protection law and practices’?
No - A DPO is now a requirement for all public bodies under the new legislation. This guide might help you. Essentially your DPO must fulfil a range of criteria that means in many organisations it will have to be a new role. This requirement will depend on the organisation, but a DPO is considered good practice.
360data helps you to understand how the DPO role fits into your organisation and provides a legally prepared Roles and Responsibilities document template.
Have you audited the personal data you store? Do you know what personal data you hold, where it is, why you hold it, who has access to it, and who you share it with?
Yes - You need to ensure that you know where your data is at all times. Be mindful that you should be cautious when transferring data, including via the cloud, to countries outside the European Economic Area (EEA).
No - An audit or data map is a great way to find out where your data is, what is there and who should use it. Be sure to include manual files, portable devices (memory sticks/drives) and the cloud.
Be mindful that you should be cautious when transferring data, including via the cloud, to countries outside the European Economic Area (EEA).
GDPR in Schools offer a data mapping service.
Get clear advice from 360data about what you should do and access preferential rates on encryption services from Sophos.
Do all users receive regular security and data protection training including the benefits of data protection impact assessment?
Yes - Great work, this is potentially aspirational practice but will certainly assist you with your accountability obligations.
No - It is important that users receive training; they are the frontline in protecting your data. Data Protection Impact Assessments are now a statutory requirement  and  help you to understand what the risks are for the personal data when you start doing something new with it.
We provide clear guidance on what training staff need and have negotiated preferential rates for online training with DeltaNet.
If you need to rely on consent as the legal basis for processing, have you considered the lawful basis for each processing activity (including collection of) personal data, including data sharing with 3rd parties?
Yes - This is a tricky area to get right; it’s worth getting some legal advice here. When it comes to 3rd parties have you considered all that your organisation uses – messaging, payments, catering, the list could be very long.
No - Understanding the rights of the data subject and controller in processing data is a key shift in the new expectations. There are reasons that you need to collect data, but that doesn’t mean you can then process it in any way you like. Legal advice can help you understand and identify your legal basis for processing data.
360data includes guidance, support and advice about "consent" and the other lawful bases for processing, including "performance of a contract", "legal obligation", and "legitimate interests".
Have you established a record of consent and taken steps to ensure that, where relevant, consent is obtained directly from the child with effect from May 2018?
Yes - Consent is a key area of change in the new data protection laws. You’ve done well. Have you ensured that you have recorded consent in an auditable system?  If the children are under 13 have you obtained appropriate parental consent?
No - Consent is a key area of change in the new data protection laws. How you seek, record and manage consent is now more important than before. Have you reviewed your systems for recording consent and ensured that they are auditable?
360data helps you to understand the importance of consent and guides you through the steps to take to improve and manage how you gain consent.  It's important to remember that you need to have parental consent in order to process the personal data of any child under the age of 13.
Are you using a correct and up-to-date privacy notice to inform data subjects of their rights?
Yes - This is great work, being able to openly, transparently and clearly communicate your data processing with your data subjects of all ages is a great success. Have you ensured that you’ve written them in clear age appropriate language?
No - Being able to openly, transparently and clearly communicate your data processing with your data subjects of all ages is a key requirement of the new legislation. Consider how you communicate these in clear language, especially to children under 13.
A privacy notice is a key document to ensure that you comply with your data subjects’ right to be informed. 360data helps you to make the right choices.
Do you have a clear procedure for responding to a data security incident?
Yes - Well done. Have you tested your procedure to check it works?
No - How will you handle a situation if it occurs? Advanced planning can streamline your response, making you look professional and well-organised.
“Failing to plan is planning to fail.”
360data will help you ensure that these procedures cover all staff and volunteers.
Do you have an asset register and are all devices that are used to process personal data securely configured?
Yes - Great work, your devices are registered. Have you tested your policies and practices with a scenario?
No - Knowing how many devices you own and their serial numbers will help in the event of theft or loss. Securely protecting the devices will help protect again data loss.
Clear guidance on why you should and how you could track and secure your assets. Access to preferential rates for Sophos products.
Do you have; active filtering, a monitoring system, anti-virus and anti-malware protection?
Yes - Well done, all of these create an environment that protects your data.  It is important to remind staff on a regular basis of good online practices as individual error is still your biggest risk.
No - Implementing this suite of protection services will help to ensure you stay in control of and protect your data and devices.
Our guidance provides a maturity model to help you ensure you are protecting all aspects of data protection. Our unique relationship with Commisium can help provide peace of mind by testing your systems to check your protection.
Do you have an up to data "best practice" password policy and do you enforce your password policy?
Yes - Excellent work, strong passwords and a forced minimum length really help protect access
No - A clear and enforced password policy is a straightforward way to protect access to data and systems.
Our guidance provides a maturity model for infrastructure, which includes considerations for how you could implement a password policy effectively.
Do you encrypt mobile devices?
Yes - Well done. The personal data on it should remain safe, even if the device gets lost or stolen.
If you allow staff to use their own devices do you have specific policies about how school data must be held?
No - You will need to secure personal data on mobile devices. The ICO has the powers to impose fines for personal data breaches. The upcoming new UK data protection laws from May 2018 are set to strengthen these powers.
360data will help identify what devices you should encrypt and to what extent. Our preferential rates with Sophos can help you implement and manage encryption easily.
Do your remote or home-working policies make provisions to protect personal data?
Yes - Well done. Have you verified that this covers all possible usage scenarios?
No - One of the safest places for your data is in carefully designed, secure, on-site storage. But remote access provides a way in for hackers, is yours secure? If employees take devices home, do they understand what is acceptable behaviour?
Our guidance in 360data will support you in developing a robust and secure system to protect your data.

The full tool offers a more in-depth analysis of your data security policies, and allows you to keep notes and track your progress as you implement the actions recommended by the tool.

Purchase 360data