General Data Protection Regulation (GDPR): what you need to know

The GDPR will change the way schools manage their data and information. Lisa Griffin provides a to-do list schools can use to prepare for the new data protection laws and outlines the changes

Author details

Lisa Griffin is content lead at Optimus Education, focusing on leadership and governance. 

To do list

  • Ensure all staff with access to personal data receive mandatory data protection training.
  • Keep records of who has received training and when, make sure any staff who didn’t attend get trained and provide regular staff refresher training.
  • Designate a data protection officer.
  • Undertake a data protection audit so you have a map of personal data and information you hold, where it came from and who it is shared with.
  • Update your e-safety policy to ensure that all stakeholders know what needs to be done to remain compliant with the GDPR.
  • Choose the right data processor partner. They will ensure IT asset disposal is carried out in a safe, secure and compliant way.
  • Make sure you have a contract or service level agreement in place with your chosen partner.
  • Gain clear consent for the different uses of personal data and review systems to ensure that the means of recording consent is compliant.
  • Update your systems to ensure new timescales, such as data breach notifications and answering subject access requests, are met.

From 25 May 2018, the Data Protection Act (DPA) will be replaced by the General Data Protection Regulation (GDPR). This means the way you manage data and information within your school will change, bringing significant additional compliance requirements.

Under current legislation schools have a duty of care to ensure that their data is kept safe and secure. With the GDPR coming into effect schools will have an increased responsibility to ensure the way they process and store this information is compliant with the changes.

What is it?

The GDPR is a new data protection regulation designed to strengthen and unify the safety and security of all data held within an organisation in the EU.

It will entirely replace the current DPA, making changes to many existing data protection rules and regulations that organisations such as schools, academies and other educational establishments currently adhere to under the DPA.

The GDPR will come into force before the UK leaves the European Union. Therefore, UK organisations handling personal data will still need to comply with the GDPR.

How will schools be impacted?

Although there are similarities between the GDPR and the DPA, there are also significant differences that will impact the way data and information is managed in your school.

Non-compliance can result in huge financial penalties (up to £500,000) being imposed from the Information Commissioners Office (ICO), as well as Ofsted ratings being impacted if the correct data and IT security policies and procedures aren’t in place.

Now is the time to start putting policies and practices into place ahead of the change to ensure compliance with the new regulation.

Wh​at can we do to prepare?

The ICO suggests ways in which organisations can prepare for the data protection changes and has published a 12-step checklist, summarised below.

1. Aw​areness

Key decision makers in your organisation need to be aware that the DPA is being replaced by the GDPR. They need to understand the impact that the changes to data protection law will have and identify areas where the school will need to make changes to ensure compliance.

2. Info​rmation you hold

Carry out an information audit and document the personal staff and student data you currently hold, where it came from and who it is shared with. You should also map out which parts of the GDPR will have greatest impact on you.

3. Comm​unicating privacy information

Review your current privacy notices and guidance and put a plan in place for making any necessary changes ahead of GDPR implementation.

Consider such issues as the information being collected, who is collecting it and how, why it is being collected, how it will be used and what the impact on the individual concerned will be.

4. Indi​viduals’ rights

Check your current procedures to ensure they cover all rights of individuals, including how personal data is deleted and how data is electronically provided.

A new requirement under the GDPR is for you to be able to explain your legal grounds for processing and using personal data in your privacy notice.

In addition, individuals will have a stronger right to have their data deleted where you use consent as your legal basis for processing.

5. Subj​ect access requests (SAR)

Under the GDPR there is a new requirement to explain your legal grounds when answering a SAR.

You should update your procedures, plan how you will handle requests within the new timescales and provide any additional information.

The GDPR will continue to allow individuals to ask the school for a copy of their personal data along with other information about how the school is processing it.

The data controller must provide a copy of the personal data, free of charge, in an electronic format.

6. L​awful ba​sis for processing personal data

You should identify and document the lawful basis for your data processing and update your privacy notice to explain it under the GDPR.

7. C​o​nsent

The conditions for consent have been strengthened and you should review how you are seeking, obtaining and recording consent for processing personal data and whether any changes are required.

Under the GDPR, consent must be freely given and as easy to withdraw, at any time, as it was to provide it in the first place. If consent is revoked this must also be recorded.

8. C​hildr​en

The new legislation introduces some child-specific provisions, including the legal grounds for processing children’s data.

Plan the systems you need to put in place to verify individuals’ ages, and to gather parental or guardian consent for the data processing activity.

9. Data bre​aches

Put in place the procedures to detect, report and investigate a personal data breach in the new specified timescale. Breach notification must be made within 72 hours of having become aware of the breach.

You should also maintain an internal breach register.

10. Data prote​ction by design and data protection impact assessments

Privacy impact assessments (PIAs) are used to identify and reduce the privacy risks of your projects. The ICO’s code of practice on PIAs explains the principles which form the basis for a PIA.

Organisations should familiarise themselves with the code and plan when to implement PIAs.

11. D​ata prot​ection officers

Hire a data protection officer or designate an individual to take responsibility for data protection compliance.

Under the GDPR it is mandatory for public authorities, including maintained schools and academies, to have a designated DPO.

12. International con​siderations

Review and map any flows of personal data outside the EU, consider what transfer mechanisms are in place and ensure these comply with the GDPR.

Last Updated: 
27 Apr 2018