General Data Protection Regulation (GDPR)

The General Data Protection Regulations (GDPR) comes into force on the 25th May 2018. The GDPR replaces the Data Protection Act 1998, putting in place new controls and rules around how personal data is managed and protected. Failure to comply with GDPR can result in fines up to €20 million, reputational damage, distress to data subjects and compensation claims.

Worcestershire County Council have produced a useful summary of requirements and suggested actions for schools and settings in relation to General Data Protection Regulation (GDPR).

General Data Protection Regulation (GDPR): Summary of Requirements and Suggested Actions for Schools

An introduction to GDPR and suggested actions and practical steps schools can take now to prepare.


Is your school/setting GDPR compliant?

If you haven't started your preparartion to comply with the GDPR, then do not panic! There is still time to take the necessary steps towards full compliance by 25th May 2018.

The Information Governance 'Health Check' Questionnaire produced by Worcestershire County Council will help to identify the areas you need to focus on.

Information Governance 'Health Check' Questionnaire

The 'Health Check' has been put together for schools to see how well they are managing their records and information and identify any areas they perhaps need to give more attention to.


Still not sure how GDPR compliant your school/setting is?

Why not book a GDPR Readiness Audit to identify areas of potential non-compliance, complete with a report highlighting the areas for improvement and practical actions to take to ensure compliance.

Contact us to arrange a GDPR Readiness Audit.


Further steps to take to become GDPR compliant

  1. Ensure senior management understand the significance and impact of GDPR on your school, and seek their support and direction on how to prepare for the changes.
    • Contact us to arrange GDPR Training for your school or to register your interest in our schedule GDPR training
  2. Carry out an data audit to identify and record what personal data you hold, where; who you share it with; how long you keep it for and what your lawful basis is for processing it.
  3. Inform employees and other key people that the law is changing and deliver needs based training to them.
    • Contact us to arrange GDPR Training for your school or to register your interest in our schedule GDPR training
  4. Review, update or create policies and procedures which reflect the GDPR changes. particularly in relation to data breach investigation and reporting; privacy notices, obtaining and managing consent and handling requests from individuals exercising their rights.
  5. Appoint a Data Protection Officer. This person must have expert knowledge of data protection law and practices and be able to fulfil the tasks set out in Article 39 of the GDPR. This person can be an employee or an external contractor.
    • Contact us to dicuss your requirements for a Data Protection Officer.
Scroll to top