Understanding GDPR and the cloud in schools


InVentry is the number one sign in and visitor management solution in the UK. It is trusted by more than 4,000 establishments across education and business.

Website: www.inventry.co.uk Email This email address is being protected from spambots. You need JavaScript enabled to view it.
Image credit: Flickr // martin louis. Image credit: Flickr // martin louis.

The new General Data Protection Regulations (GDPR) that are coming into force this May are a very hot topic in edtech right now. There is still a lot of confusion around what schools need to do to be prepared for these changes.

One of the biggest concerns seem to be over the storage and processing of personal data in the cloud, as this presents the biggest challenges around “where is it?”, “who can see it?”, and “is it safe?”

The GDPR replaces the existing Data Protection Act. Under current legislation you already should ensure that data is kept safe and secure. With the GDPR coming into effect, you’ll have an increased responsibility to ensure this information - regardless of where it is kept - is managed in the right way.

Non-compliance could result in significant fines being imposed from the Information Commissioner's Office (ICO). Such an issue could have an impact on the reputation of the school and potential safeguarding concerns, if the correct policies and procedures aren’t in place.

With any data you store on-site, it’s up to you ensure you encrypt, store, process and destroy it in the correct manner in accordance with the new GDPR. For instance, an InVentry sign-in system is encrypted at a database level using 256-bit encryption - which means that even if the hard drive was stolen, without the key to unencrypt it, the data would be unobtainable.

There is a big concern that the cloud isn’t secure, and that you can’t store personal information as you lose control over ownership. This is not true. These huge data centers are protected by state-of-the-art security. You could argue that the cloud is safer than keeping data on your own premises, as it is even harder to locate and access the physical system that holds your information. There are regulations, though. Cloud-based systems are still okay with GDPR, as long as the server location meets the requirements and it has appropriate security, such as firewalls.

If you are working with companies and providers who are processing data in the cloud, it is up to you to ensure that they are taking the correct steps to keep it safe. There are two key questions that you need to be asking:

1. Is the data stored within the European Economic Area with adequate safeguards?
2. If not, does the company either have binding corporate rules, and can they demonstrate that they are processing the data in compliance with agreed standards, such as the EU/US Privacy Shield?

It is important that you understand which countries are involved, and whether they provide the right level of data protection framework for your data. Data subjects should know where their data is being processed so they can make an informed decision about it, and trust the organisation and digital platforms that back on to cloud.

For more information on InVentry, visit www.inventry.co.uk or contact info@inventry.co.uk.

Want to receive cutting-edge insights from leading educators each week? Sign up to our Community Update and be part of the action!

Read More

Sign up to our newsletter

Get the best of Innovate My School, straight to your inbox.

What are you interested in?

By signing up you agree to our Terms & Conditions and Privacy Policy.

1,300+ guest writers.
ideas & stories. 
Share yours.

Read our editorial calendar 

In order to make our website better for you, we use cookies!

Some firefox users may experience missing content, to fix this, click the shield in the top left and "disable tracking protection"