- Background
Changing Education, a work placement and career specialist working with national and international educators, holds data on thousands of school pupils and placement providers. The Cheshire-based company’s popular web-based platform and app enables educators, students, and employers to effectively log, track, manage, evaluate and communicate all work based learning and wider careers interactions which increase participants’ chances of developing fulfilling and rewarding careers. - ClientChanging Education
- CategoryIASME
- TagsIASME
The need
Determined to reassure potential clients that Changing Education’s commitment to the General Data Protection Regulation (GDPR) remains undiminished, Changing Education’s Co-founder, Stephen Hackney, turned to the IASME Governance certification for help.
The challenge
Working with the public sector involves a high level of scrutiny and expectation, especially where younger people are involved. It’s paramount that suppliers like Changing Education are fully compliant with regulations including the UK Data Protection Act (DPA) and GDPR. Such businesses have found that new tenders have become increasingly time-consuming and costly to complete as public sector organisations seek to protect the integrity of their supply chains and safeguard their reputations.
After receiving a number of complex spreadsheets designed to verify Changing Education’s GDPR compliance and cyber security measures, Stephen was keen to identify a faster and easier way of proving to potential clients that their data would be safe in Changing Education’s hands.
Finding a solution
Following a recommendation by North Kent College, one of Changing Education’s clients, Stephen contacted us for help. Our MD, Helen, reviewed recent supplier questionnaires and quickly established that IASME Governance certification (see box right) would provide Changing Education’s clients with the reassurance they needed. Not only would the certification drive GDPR compliance, but it would also protect the business against common cyber security threats, shortcut the tendering process – helping to cover its own costs – and give the firm a competitive advantage.
Working in partnership
It was decided that the certification project would be carried out over the summer, Changing Education’s quietest period. However, the coronavirus had other ideas. With members of his team out of the business, the amount of time that Stephen could personally allocate to the project was reduced. He explains, “With staff on furlough, we were covering our colleagues’ jobs. I knew I hadn’t got time to go through long-winded emails to achieve certification. We also needed help completing two lengthy supplier questionnaires for new contracts. With everything up in the air as a result of COVID-19, it was critical that we won this new business.”
Fortunately for Stephen, Helen knew exactly how to lighten the load, having been through the IASME Governance certification process for Risk Evolves itself as well as clients. As well as completing the supplier questionnaires, she put together a bespoke package of support which freed up Stephen’s time to concentrate on the business. Firstly, we completed the data mapping process and then liaised with the firm’s HR partner to revise the Information Security and Privacy Policy before updating the Privacy Notice on Changing Education’s website. Our skills in data gathering helped to ensure that the IASME submission would clearly communicate key information, for example, whilst creating the business continuity plan, we explored with Stephen what would happen if the offices burned down.
“What Helen gave me to do was clear, concise and not overly time-consuming. It wasn’t an onerous process. We followed her template, flow chart and development model over a six-week period.”
IASME Governance: a catalyst for improvement
Although Stephen was sure that the business already met the requirements of the self-assessed IASME certification, he was keen to identify other potential improvements that would further minimise the risk of data loss or cyber breach. He explains, “We wanted to use the certification process as a catalyst not just an audit. Although we already provided GDPR training, we invited all employees – including those on furlough – to attend a new online training session which reinforced key elements of GDPR and cyber security and complemented their existing knowledge. Risk Evolves used real-life cases to bring the subject to life and took pains to ensure that staff understand how legislation and current cyber threats are relevant to them.”
As a result of their learning, staff are able to proactively protect the business against risks and reputational damage. Project Manager, Craig Blount, was one of the furloughed staff who was surprised to find the remote training session absorbing. He later commented, “The GDPR training I received before I returned to work enabled me to understand the requirements in more detail and gave me confidence in our own internal policies and protocols.”
Winning on all counts
Despite the challenges of coronavirus, Risk Evolves has delivered the project remotely to great success. In early 2021, Changing Education secured IASME and Cyber Essentials certifications at the first attempt. These will enhance its credibility and make completing future tenders far less onerous. In the meantime, the team is busy delivering the two new contracts that Helen helped win.
Future plans
Keen to continue momentum, Stephen has already discussed potential next steps with Helen. He comments, “As we expand, we believe it is crucial to enrich our processes, practices and reputation among our peers (who are not IASME certified). We’ll consider implementing ISO27001, the Information Security Management Standard, when Helen and I feel the time is right.”
IASME Governance provides compliance with approximately 80% of ISO27001 so we’re sure that the transition will be a smooth one.
“The internal audit and IASME application has been a positive experience for The Changing Education Group… made possible by the high quality support and guidance offered by the Risk Evolves team.”
