Blog home
The Blog

Fresh Ideas and Inspiration for education

The General Data Protection Regulation (GDPR) and Education

There is less than three months before GDPR (General Data Protection Regulation) comes into force. From my experience of working with schools and academies, a high proportion of them will not fully comply by the 25th May when GDPR, (encompassed in the new Data Protection Bill), becomes law. Progress towards compliance is good in schools and academies because there is a strong understanding and commitment towards safeguarding, meeting policies, procedures and standards that are reviewed by OFSTED / ISI Inspections.

Posted on Wednesday 28th February 2018

The Supervisory Authority for Data Protection in the UK is the Information Commissioner’s Office (ICO) and the ICO’s website is a good place to start to prepare to meet the GDPR. Trust the free resources and advice that the ICO and the National Cyber Security Centre (NCSC) are publishing. The ICO has a well-used telephone advice helpline and even gives free advisory visits for small to medium sized enterprises.

GDPR itself is about our personal information (data) and how we can take control over the use of it by other people and organisations.

Article 1 of the regulation sets out two key objectives:

  1. The protection of the fundamental rights and freedoms of individual persons, in particular, the protection of personal data
  2. The Protection of the principle of free movement of personal data within the EU. The 1998 Data Protection Act has simply been overcome by technology and especially the Internet.

The eight principles of the 1998 Data Protection Act have been reduced to six in the GDPR. Two have been enhanced and are separately highlighted in the GDPR, Data Subject Rights and Cross Border Transfers. Accountability has been introduced which means everything you do must be justifiable.

It is essential that records are kept of how data is used, and a Data Protection Officer is appointed for a ‘public body’ like a school or academy. The GDPR insists organisations put into place comprehensive governance measures, and it is essential that all schools and academies follow the principles of the GDPR as breaches may attract fines.

If we accept that leaks of personal data held in schools and academies could cause significant harm to the health and wellbeing of our pupils, parents and staff then it’s essential it should be protected. If it is not possible to apply appropriate technical and organisational measures to protect all personal data, then focus initially upon protecting the most ‘sensitive’. Conduct Data Protection Impact Assessments (DPIAs), when processing data to assess the likelihood and impact (i.e. the risk) of a compromise to the confidentiality, integrity and availability of personal data.

Data Protection and Health & Safety both have reporting requirements i.e. accidents through RIDDOR to the Health & Safety Executive and Data Security Breaches to the ICO. Both sets of legislation potentially have personal liability for Directors / Governors who fail to take the principles of health & safety and data protection seriously.

This article highlights the change of focus needed by leaders within schools and academies and that they need to:

  1. Look at the ‘12 steps to take now’,


  1. Appoint a Data Protection Officer (DPO) to meet the role outlined in the ICO’s advice


  1. Support the Executive Team and particularly the DPO by providing adequate resources to meet the GDPR’s requirements. Use the ICO’s GDPR Assessment Toolkit, which has 7 checklists you can use to assess your compliance with the GDPR and find out what you need to do.


With thanks to Harry Ewins for writing this post. Harry Ewins is the Managing Director of External Perspective Business Solutions, a consultancy practice that delivers training and consulting on the GDPR, particularly for educational bodies. For more information call: 0151 281 9230

Posted in