Under GDPR your suppliers (data processors or joint data controllers) are obliged to tell you "without undue delay" about a data breach they have suffered that has affected data that you are the controller for. For the avoidance of doubt, your school is almost always the data controller read our blog aimed at suppliers Suppliers: are we controllers or processors? for more insights on your suppliers and your relationship with them.
If you learn that a supplier you use has experienced a data breach and they have not sent you specific information about how your data either was or was not a part of the data breach, then you can, and should, reach out to them and ask for details. Depending on their response and what further help they offer, you can then determine the necessary next steps to maintain your compliance with the DPA2018 and the GDPR.
Consider at least the following factors:
- Which data subjects were affected?
- What categories of data were affected?
- Are any of the data subjects considered vulnerable?
- Does the leaked data put any of the affected data subjects at risk?
Remember, even if the supplier is based in, and hosts the data in, the US or another country, you have the right to inform the ICO about this, if you feel it is appropriate.
In your role as the data controller, it is your duty to inform affected data subjects promptly and without undue delay, if you feel there is a high risk of harm to them.