What Can Schools Be Doing Now To Prepare For GDPR?


With the deadline for GDPR (General Data Protection Regulation) creeping up, there’s no better time to start putting into practice some of the steps needed to ensure your school is GDPR compliant. The new regulation is being introduced to further enhance the security surrounding the way personal data is processed and will be mandatory from May 2018.


The main question that many schools are asking when it comes to GDPR is what does this mean for us? It is important to understand that the introduction of GDPR will give your school more responsibility for the data you handle and will allow the individuals (teachers, pupils, parents) within your school to have greater control over their own personal data.


There are several things that you need to do in order to become compliant with the regulation, starting with appointing a DPO (Data Protection Officer) who must have experience and knowledge of the data protection law so they can ensure that the school's data processes are compliant. All of the school’s third party suppliers who may have access to any of the school’s data must be GDPR compliant. You must ensure that you have legal contracts with them that cover exactly what data is being processed, who it is being used by and how it is being used. As well as this, all schools must make sure that consent is given for anything that isn’t within the normal running of the school, especially if it involves a third party using the data. Parents or the pupil (depending on their age) must give their use of personal data used outside the everyday business of the school and also for the use of photographs, such as on your website or social media. It is vital that if you have breached the data regulation, you report all breaches that are likely to have a detrimental effect on an individual to the ICO within 72 hours.




Your pupils and their parents have always had access to their data, however, GDPR makes it easier for them to request access to it and also gives them the right for it to be forgotten.  You will need clear retention policies to ensure that you are completely compliant with this area.


With GDPR becoming mandatory on the 25th May, there are plenty of things that your school should be getting on with make sure they are compliant before the deadline.


Before the countdown becomes critical, it is worth taking some time to review all the personal data you currently have. This includes all the data you have for your staff, pupils and parents as well as suppliers and governors. This data needs to be organised and stored in an audit.


Training your staff is key to making sure that all of your staff are aware of GDPR and its impacts. Train all your staff according to their roles and responsibilities, for example, general training should be organised for all staff as well as more specific, in depth training for staff with more responsibility.


Start to consider who you are going to appoint as your DPO, as if this is sorted sooner rather than later, you will find yourself and your school is much more organised before GDPR becomes set in stone. This person will be responsible for advising you on GDPR and ensuring you are compliant with all of the requirements so you will need to consider who you appoint carefully as they have to report to the highest level of management and cannot have any conflicts of interest.


You and your school must know exactly what software, including apps used by teachers, is using and processing personal data and how it is being processed. Failing to comply with this could lead to a breach of GDPR and you could potentially face enforcement action from the ICO, resulting in negative publicity and even a fine for your school.


Although it is not yet crystal clear how much of an impact GDPR will have on schools, we do know that we need to be clear on what best practices need to be put in place to protect pupils, staff and their parents against any data breaches. GDPR has the potential to cause some challenges to the way your school processes data, but preparing early will prevent you from facing various issues nearer the time.


For more information on GDPR in schools click here