Access this unit immediately1 year access

To access all the in-house training materials to support your CPD simply:

Alternatively, call us at +44 (0) 208 315 1506 or email us at


In Unit 2, you looked at how GDPR looks in practice and you are now more aware of how GDPR sits in the school context. In this unit, you will look at how you implement GDPR and consider how you ensure that your legal basis, your subject access requests and your consents are all documented.

To recap, you have learned that:

  • Personal data in schools relates to information about pupils, parents and staff.
  • Sensitive personal data includes additional factors such as special educational needs, race, sexuality, religion and political beliefs.
  • Staff must be aware of the need to keep data secure through the use of password protection and locked cupboards for paper files.
  • Senior leadership teams must embrace GDPR to help embed it across the whole school.
  • Data protection is the responsibility of every member of staff.
  • A number of policies are impacted by data protection and these must be reviewed to reflect changes in GDPR.
  • Whenever data is processed the school must identify, and document, the legal basis for it.
  • There are six legal bases and the one that will be most commonly used is the public interest basis.
  • GDPR is designed to provide greater protection to individuals and that there are eight individual rights.
  • Privacy notices must be concise, intelligible, easily accessible and free of charge.
  • Data protection impact assessments must be undertaken before starting a new project that involves data processing.

Aims and outcomes:

  • Explore the benefits of a single compliance document.
  • Understand the importance of undertaking an information audit.
  • Gain a better understanding of privacy notices and when to use them.
  • Learn how to deal with subject access requests.

Building upon the information and knowledge covered in the previous units, this unit is most suited to the SLT, governors and other staff with delegated responsibilities for GDPR implementation.

Unit content

Unit 3: GDPR readiness