GDPR for schools: an outline of the key changes

New data-protection regulations come into force on 25 May, but what will they mean for schools? We take a look at what you need to know and do to ensure you’re ready
GDPR article image
New data-protection regulations come into force on 25 May, but what will they mean for schools? We take a look at what you need to know and do to ensure you’re ready

If you have not heard of General Data Protection Regulation (GDPR) and you work in a school, you need to get clued up quickly: if you break the new rules after they have come into force on 25 May, the consequences could be damaging both for your school's budget and reputation.

Here we tell you what schools in particular need to know about GDPR. 

GDPR for schools

Schools handle a large amount of personal data. This includes information on pupils, such as grades, medical information, images, and much more. Schools will also hold data on staff, governors, volunteers and job applicants.

Schools will also handle what GDPR refers to as special category data, which is subject to tighter controls. This could detail race, ethnic origin, biometric data or trade union membership.

This data is already governed by existing Data Protection Act (DPA) regulations, which ensure personal data is handled lawfully. However, GDPR has gone further and requires organisations to document how and why they process all personal data; it also gives enhanced rights to the individual.

“What GDPR has done is taken the previous regime, built upon it and modernised it for the current technological and societal environment,” says Claire Williams, an information and cyber law specialist at law firm Mills and Reeve.

“In terms of schools and the education sector in general, there’s going to be much more of a focus on data protection and it’s going to have to be much more at the forefront of people's minds, particularly the senior leadership when they’re deciding on policies and bringing in new technology.”

To learn more about GDPR, see our other guides:

Who exactly will this affect?  

“Achieving compliance for any organisation will require unconditional support from all staff, leaders, teachers and support staff,” says Guy Dudley, director of Advice and Legal Services at school leaders' union, the NAHT.

“GDPR isn’t normal ‘day-to-day’ business for schools, so they’ll have to make this change alongside all of the regular teaching and learning commitments that go on.”

Senior leadership

In the same way that safeguarding is a school-wide priority normally led by one of the senior leadership team, it is recommended that data protection follows the same approach.

“You are expected to have somebody within the senior team whose responsibility encompasses GDPR and data protection in general,” says Williams. “They need to have adequate resourcing and an adequate understanding of what the law actually is.”   

All staff

With such a major emphasis on evidencing compliance, it’s important that schools can also demonstrate that the whole school is on board when it comes to data protection.

“Part of the process of becoming compliant is to make sure that everybody has received adequate training,” says Williams. “Training needs to be sufficiently focused and relevant to what people are doing day to day, so that they understand both the cyber security implications of their actions and the rules about the protection of personal data.”

Data protection officer (DPO)

Under the new law you must appoint a DPO if you carry out large-scale tracking of individuals or large-scale processing of special category data. It is possible for groups of schools, or multi-academy trusts to share a DPO.

“Schools need to look at what suits their organisational structure,” says Williams. “If they are planning to use an external DPO, they need to make sure he or she has sufficient knowledge about the school to be able to properly advise and give tailored advice. Schools need to make sure that whoever they engage will have adequate resources and adequate time to meet the school’s needs.”

External third parties

Any relationships with third parties that handle personal data will need to have processing agreements (basically, transparent agreements about what happens to the data to ensure it is GDPR-compliant) in place.

“In terms of any existing contracts, schools need to look at what they have in place and whether it is adequate,” says Williams.

Any contracts that do not contain the necessary provisions will need to be amended.

“That can be quite a significant job depending on how many processors you’ve got,” he adds.

What changes need to be made?

School leaders

The key shift from the DPA is that simply processing data lawfully is now no longer sufficient.

“The big difference around GDPR is that it’s very much focused around being able to prove compliance,” says Toks Oladuti, director of information systems at an independent girls’ schools trust.

“[This] is going to introduce new record-keeping that schools will need to do and slightly newer approaches to how they actually introduce new processing activities.”

Mapping data and having records of processing across all school systems is one of the biggest and most important changes from the DPA.

“Schools need to understand where their data is processed,” says Jonathan Harrex, DPO and information security specialist at “They need to understand what they process, and whether that’s done internally or by a third party or by both. So they will identify how their data is processed and who does it, and then they will be able to identify, as part of that, the technology that they process the data on and how that’s secured.”

Key changes for leaders:

  • Demonstrate compliance: schools need to document every system used to process personal data. They also need to map how this data is transferred to other systems or any third parties.
  • Appoint a DPO: schools must appoint a data protection officer to ensure that their school is fully compliant with the new regulations (more info below).
  • Processor agreements: for any third-party processors, you must have contracts in place stipulating that personal data is handled in compliance with GDPR.  
  • Reporting a data breach: if personal data has been put at risk, you may be required to inform the Information Commissioner's Office (ICO), and in some cases, the individual at risk. This should be done within 72 hours of the breach being discovered.
  • Staff training: despite the best efforts of the DPO in using compliant processes, these are only as secure as the people using them. Ensuring staff are trained and a culture of data compliance exists is crucial.

More on GDPR for school leaders

Classroom teachers

With the increased emphasis on accountability will come more pressure on leaders to ensure their staff receive the necessary training. Systems in place will also affect anyone who handles personal data, even if that’s an attendance register.

Key changes for teachers:

  • Reporting a breach: teachers must understand what constitutes a breach and, if they suspect a breach has occurred, report it to the DPO.
  • Introducing new systems: if teachers want to introduce a new piece of subject-specific software or use any new processing system, there needs to be a clear process in place to inform the DPO and ensure it is done compliantly. 

More on GDPR for teachers

What will happen on 25 May 2018?  

Subject requests

From 25 May, any data subject (that’s someone whose data the school holds) can exercise certain rights with regards to their data. This means that a parent could ask for a school to produce all of the data it currently holds on their child, or a job applicant could ask you to erase all their details. Under the new law, an individual could ask for their data to be provided to them in a portable form, so that they could pass it on to another organisation.

The school would be legally obliged to carry out these requests within 28 days of the request being made.

Although individuals were previously allowed to request access and an amend to any inaccuracies, they now have additional rights and the £10 fee has been waivered.

“People are becoming more aware of their data rights,” says Williams. “The volume of subject access requests has been rising, but that’s just a general societal phenomenon, as people realise their data has value and have become a lot more curious about what people are doing with it.”

More on subject access requests 

Reporting a breach

From 25 May, if you’re informed of a breach to someone’s personal data, you may be required to inform the ICO. Under serious circumstances, you may be required to inform the individuals whose data has been put at risk. 

More on personal data breaches

Increased fines

The maximum fine for failing to comply with GDPR is €20 million (about £17.7m) or 4 per cent of the organisation’s annual turnover (whichever is greater). Under the previous regulations, organisations such as the NHS and TalkTalk have received six-figure fines, although the consensus suggests schools would have to be found seriously negligent to receive similar penalties.

“The organisations that have been taken to task are the ones that have looked the other way over recognised standards,” says Harrex.

"In terms of the penalties, the ICO, at least for now, remains a very friendly and constructive regulator,” adds Williams. “One of their purposes is to educate people about data protection and to help people to get up to speed, so they don’t whip out the fines at every opportunity."

More on the penalties under GDPR

Developing picture

After 25 May, it will become much clearer how GDPR will be enforced. Tes will regularly update its guidance with every development. 

For full and up-to-date guidance on GDPR, visit the ICO website