How to Prepare Your School for GDPR

What is GDPR?

The General Data Protection Regulation (GDPR) is a new regulation to update the existing Data Protection Act.
The new regulation is intended to strengthen and unify data held within an organisation and protection for all individuals.
The data you currently have should adhere to the regulation before 25th May 2018, when it becomes law for it to do so.


How does GDPR affect you and your school?

Pupil databases, CCTV footage, staff information are all types of personal data schools process. GDPR will give individuals more control over the data held by an organisation, which means schools will have greater accountability for the data.
For schools, GDPR brings greater responsibility to inform parents and stakeholders about how they are using pupils’ data.
Schools will need to review data usage and privacy notices to determine the lawful basis upon which data is processed. Personal Data cannot be processed unless there is:

  1. Legal obligation
  2. Legitimate interest
  3. Performance of a contract
  4. Protection of someone’s vital interests
  5. Public interest or exercise of official duties
  6. Consent

Schools cannot assume that they are entitled to process personal data as and when they wish.
For example there is a clear legal obligation to communicate to parents on a pupil’s progress however consent will be needed to promote a charity event being held at the school.
Public authorities and bodies must appoint a Data Protection Officer (DPO). Some schools may already have a person designated to deal with data protection issues, however the GDPR places specific obligations on a DPO to conform to the regulations.


What is the penalty for non-compliance of GDPR?

If there is a data breech and you are found to be non-compliant with GDPR you could be faced with a fine of up to €20 million or 4per cent of your company’s annual revenue, whichever is greater.
GDPR does enforce more accountability and penalties, however many schools already operate within rigorous data protection measures and ensure data is kept safe and secure.


How can I be sure my school is compliant? What should I do now?

There is still time to become fully compliant. You can start by visiting the Information Commissioner’s Office website which features valuable resources and information on complying with GDPR.

  • Awareness & Training - Ensure all staff have general GDPR awareness training. Senior management and staff with more data responsibility will require further training to fully understand GDPR and its potential impact.
  • Review the information you hold – Schools should document and review all the personal data they hold and understand where it came from, how it is stored and what it is used for. Identify and document the legal basis for processing data.
  • Consent – review your privacy notices and check procedures to ensure you can action individuals’ right to delete or update personal data. Plan to gain consent from parents and stakeholders to ensure you have permission to send electronic or posted mail relating to non-contractual or legal communications.
  • Data Protection Officer (DPO) - Your school must appoint or hire a DPO to be the custodian of data and make sure that your school is compliant with all regulations applicable to them.
  • Software Review - The software your school uses must be checked to ensure it meets the necessary requirements as a data processor


Need more help with GDPR?

GDPR can be a little overwhelming, so to help you prepare and become compliant we have a number of GDPR support options available:

  • Readiness Audit - An audit to identify areas of potential non-compliance, complete with a report highlighting the areas for improvement and practical actions to take to ensure compliance.
  • Data Mapping Audit - The data mapping audit will help you identify and categorise personal data: Why is personal data processed? Whose personal data is being processed? What personal data is processed?  When is personal data processed? Where is personal data processed? It will also look at the security measures in place to protect the data.
  • Data Protection Officer - Contact us if you require a Data Protection Officer to perform the full statutory DPO duties
  • Training - Scheduled training will be available for school staff with varying levels of data responsibility, from whole school awareness to DPO compliance.


GDPR will come into effect in May 2018 so now is the time to start planning for compliance. To understand the full scope of GDPR or to ensure you are prepared, please contact us:

0800 090 2255

Scroll to top