Top tips on how to prepare your school for the new GDPR

By Stuart Abrahams, Think IT

In our technological age, the threat of a cyberattack or data security breach often presents an ongoing headache for schools, businesses and government bodies across the UK. In an effort to improve this situation, the new EU General Data Protection Regulation (GDPR) makes a number of changes to the way data should be collected, stored and used. However, a new report suggests that over a quarter (27 per cent) of education establishments in the UK are unprepared for a cyberattack, and almost half (47 per cent) do not know how GDPR will affect them.

This lack of understanding can often be a source of anxiety for schools. The good news is that implementing the new regulations needn’t be scary or expensive. Here I offer a few tips to help schools understand what they need to do to move towards compliance before the changes come into force in May this year.

Be ahead of the game - get to know your data!

With less than six months to go, there are lots of simple checks you can do to make sure you’re on top of your data.

One good thing to do is to find out what data you currently collect and whose data it is. There are two types of relevant data: personal data, such as the contact details of parents and teachers, and sensitive data, such as pupils’ medical records, religious beliefs and staff salaries. Once you know what data you collect you can then check how it is stored; most data is stored either on paper, electronically or on a Management Information System. Remember, data can be stored in a huge variety of places from email trails, video recording files and online payment systems to the staff pay roll. You may want to check with your system providers that all information stored online is secure.

Another important check is to make sure that data is still relevant. The GDPR changes require data holders to show that whatever is being stored is necessary, which means you shouldn’t be holding onto information you no longer need. For schools, it’s a good idea to make sure you have clear procedures and time frames for erasing students’ data once they leave. 

Map out who you share your data with

As well as knowing about your own procedures, it is important to map out who you share your data with and ensure these third parties are also complying with the new regulations. To do this, make a list of everyone you share data with, including other schools, the health and social services and charities and reflect on whether it is relevant and necessary to share this information. If it is, you should contact these third parties to ensure they will also be compliant and to find out how they are using your data, where they are storing it and what happens to the information when a student or staff member leaves the school.

Understand consent and know when to ask for it

Another area that can be a little tricky is knowing when you need to ask for consent. My advice would be to only ask for consent if you have to. In fact, there are often circumstances that don’t require you to obtain consent at all. For example, you might not ask for consent if collecting the data is necessary to protect the vital interests of a data subject, or another person, or if you need to collect the data to carry out tasks in the public interest.

Assign your Data Protection Officer (DPO)

Every school will need to appoint a DPO and it is important to start thinking about who you are going to hire or assign in your team as your Data Protection Officer- and it’s a good idea to appoint this person early! Your DPO will be responsible for ensuring the school is compliant with the new legislation. It is also important that all staff understand the changes and are handling data correctly by offering some simple training to get all team members up to speed.

Thoughts to take away

The key thing to remember is that GDPR is a positive change which will help schools make sure they are using data in a safe, secure and appropriate way. As long as schools take a proactive approach and follow these smart steps, they can get ahead of the game with their data protection and be fully prepared for when the changes come into effect on 25 May.


Think IT is a DfE-compliant education sector procurement framework. For more information, visit: or visit the team on stands B216 and E300 at Bett 2018.