Skip to main content

Exclusive: Half of schools 'not fully compliant with GDPR'

Report says four in five schools believe fines for breaching new data protection regulations would 'significantly impact' them

More than half the schools and colleges that responded to the survey said they believed they were not fully compliant with GDPR.

More than half of schools and colleges are not fully compliant with new data laws almost a year after they came into force, a snap survey has suggested.

The report from RM Education and Trend Micro also reveals widespread concerns among schools that fines for breaching the general data protection regulations (GDPR) could have a significant impact on their institutions.

The new rules, which took effect in May 2018, governs how organisations such as schools handle personal data. Breaches can be punished with fines of up to 4 per cent of annual revenue or £17 million – whichever is greater. 


Guide for schools: What is GDPR?

Bob Geldof: GDPR putting 'intolerable burden' on schools

Union: Schools using GDPR to stifle teachers' rights


Now, a snap survey of 156 schools and college across Great Britain, which includes a mix of sizes, phases and urban and rural locations, has highlighted a series of concerns:

  • 52 per cent believed they were not fully compliant with GDPR. Forty-eight per cent said they were.
  • 14 per cent admitted they did not have a clear plan to become GDPR compliant.
  • 39 per cent cited a lack of financial investment as the biggest challenge to complying with GDPR, while 46 per cent highlighted security awareness.
  • 79 per cent said financial fines for non-compliance would “significantly impact” them.
  • 75 per cent said accidental loss by staff was the biggest threat to data, while 19 per cent said cybercriminals.
  • 38 per cent said they had increased their IT spend as part of becoming GDPR ready.

Bharat Mistry, principal security strategist at Trend Micro, described the finding that half of schools and colleges are not fully GDPR compliant as “concerning”.

He told Tes that the most important steps for schools were educating staff and pupils about online security.

He added: “Things as simple as leaving a memory stick lying around, not changing your password regularly, or not updating to the latest software could have a seriously big impact.

“Having a strategy in place to ensure all data is protected, and able to be deleted should a pupil or parent request it, is also key.”

The report also indicates that schools are facing more demands for transparency about data since the introduction of GDPR.

In total, 19 per cent of schools and colleges said staff, parents and pupils were “slightly more”, and 5 per cent “significantly more”, demanding about how much of their personal data is being kept and where.

This compares with 56 per cent who said this had remained the same, while only 2 per cent said demands for transparency has lessened.

A Department for Education spokesperson said: “Schools are expected to appoint a data protection officer and have a range of policies and processes in place to enable them to be compliant with GDPR and the Data Protection Act 2018.”

They added that the Information Commissioner's Office produces sector guidance on GDPR.

Log in or register for FREE to continue reading.

It only takes a moment and you'll get access to more news, plus courses, jobs and teaching resources tailored to you