General Data Protection Regulation (GDPR)

The General Data Protection Regulations (GDPR) comes into force on the 25th May 2018. The GDPR replaces the Data Protection Act 1998, putting in place new controls and rules around how personal data is managed and protected. Failure to comply with GDPR can result in fines up to €20 million, reputational damage, distress to data subjects and compensation claims.

Worcestershire County Council have produced a useful summary of requirements and suggested actions for schools and settings in relation to General Data Protection Regulation (GDPR).

General Data Protection Regulation (GDPR): Summary of Requirements and Suggested Actions for Schools

An introduction to GDPR and suggested actions and practical steps schools can take now to prepare.


Is your school/setting GDPR compliant?

If you haven't started your preparartion to comply with the GDPR, then do not panic! There is still time to take the necessary steps towards full compliance by 25th May 2018.

The Information Governance 'Health Check' Questionnaire produced by Worcestershire County Council will help to identify the areas you need to focus on.

Information Governance 'Health Check' Questionnaire

The 'Health Check' has been put together for schools to see how well they are managing their records and information and identify any areas they perhaps need to give more attention to.


Still not sure how GDPR compliant your school/setting is?

Why not book a Data Protection Impact Assessment to identify areas of potential non-compliance, complete with a report highlighting the areas for improvement and practical actions to take to ensure compliance.


Further steps to take to become GDPR compliant

  1. Ensure senior management understand the significance and impact of GDPR on your school, and seek their support and direction on how to prepare for the changes.
  2. Carry out an Data Mapping Audit to identify and record what personal data you hold, where; who you share it with; how long you keep it for and what your lawful basis is for processing it.
  3. Inform employees and other key people that the law is changing and deliver needs based GDPR training to them.
  4. Review, update or create policies and procedures which reflect the GDPR changes. particularly in relation to data breach investigation and reporting; privacy notices, obtaining and managing consent and handling requests from individuals exercising their rights.
  5. Appoint a Data Protection Officer. This person must have expert knowledge of data protection law and practices and be able to fulfil the tasks set out in Article 39 of the GDPR. This person can be an employee or an external contractor.

Related Content & Resources

Scroll to top