In most instances suppliers will be the processor. You must take instruction from the controller, ie the school

Your privacy document is a key asset to demonstrate your commitment to the GDPR principles. It should clearly explain how, where, what and for how long you process personal data. It should also explain complaints procedure in the event that there is a dispute in the way you process data. If you are a processor do you have a Privacy Notice to help Schools include this Processing in their Privacy Documentation

It is important that you are seen to be transparent and make agreements and policies available for inspection

This is asking suppliers to share their qualifications which demonstrate their competence. It is important for you to demonstrate  your commitment to data security by gaining recognised certifications

All organisations which handle personal data must say how long they store personal data. If you are a processor the controller should tell you how long this should be. If you are the controller or joint controller you should only keep data as long as it is needed

If you are the processor you must  delete data on request of the controller. The data subject cannot ask you to do this in case the controller has a legitimate reason to keep it.

All organisations which handle personal data must say how long they store personal data. If you are a processor the controller should tell you how long this should be. If you are the controller or joint controller you should only keep data as long as it is needed

Purging stale data is a key responsibility. Where data is held and processed by any organisation, it must ensure that processes and fail-safes are in place to purge data that is no longer needed

This should be included in your Privacy Statement for records for which you are the data controller

These are special category data defined within the GDPR.
It is important that you recognise that you are processing special category data and you publish what steps you take to keep it safe

Only the data that is needed for the purpose you are processing data should be used. In the past data is collected 'just in case' it is needed. This can no longer happen.

Access control is essential. Whether you are the controller or processor, data subjects must be confident that limited staff have access to their information. 

It goes without saying all personal data must be encrypted and special category data needs stronger encryption. 

This is central to all that is done. Upholding the rights and freedoms of data subjects is paramount in any data protection strategy. A controller will not use a processor unless they are confident that their data subjects rights are upheld.

Unless you host your own servers and carry out all activitity 'in house' sub-processors will be used. It is the processor's duty to ensure that if data is processed elsewhere the correct agreements and guarantees are in place to safeguard the data. Controllers should be asking about sub-processors and their presence should be recognised.

Data stored/processed outside the EU may carry high risk and treated with caution

The Schrems II decision has a major impact on any data transferred to outside the EEA. Special safeguards need to be put in place where that does happen.