This site uses cookies to improve your browsing experience and analyse use of our website. By clicking ‘I accept’ you agree and consent to our use of cookies. You can find out more about our cookies here. Find out more

GDPR: How will it impact schools and academies?

Ann Mathias

It is now nine months to go until GDPR legislation comes into place. After a long four years of debating, during April 2016 the General Data Protection Regulation (GDPR) was ratified by the European Union and comes into place on the 25th May 2018.
GDPR will apply to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU, that offer goods or services by individuals in the EU. The laws main aim is to give citizens a more controlled approach over their personal data and to have a piece of legislation that will create a uniformity of rules. In order to achieve this there is a two-year transition period in order for companies to fully reach compliance.
Public sector organisations will also have to abide by new GDPR legislation and will have to put the correct measures into place, when storing and managing customer data and also how they dispose of this data once it is no longer needed.
Children are defined as vulnerable individuals by the GDPR and the GDPR feel that due to them being so vulnerable, they need a specialist protection in place. In particular, schools hold a huge amount of data on children from student and staff records to CCTV.
As a school or academy, you may feel that you are up to date as much of the new legislation seems very similar to that of the Data Protection Act, however there are differences. The potential penalties are more severe than the Data Protection Act, with fines of up to 4% of global annual turnover or €20 million greater than the organisations annual global turnover.
What is changing for schools and academies?
Children must give their active and informed consent for information on them to be gathered and processed. For children that are under 16 the parent or guardian must give consent, however member states may legislate for a lower age of consent, but this will be no lower than the age of 13. Data controllers must make sure they have made reasonable effort to show consent has been given for data processing carried out.
What should schools be doing?
For schools and academies, the best move forward is to take action now and start preparing for when the GDPR legislation comes into place.
Raise awareness
Key decision makers in schools must know that the data protection law is changing and this will ultimately change how the school is run. It is important for key decision makers to familiarise themselves with GDPR and identify the areas where schools will need to be compliant. For example, there will be significant changes to collecting fingerprint data, exam results, taking photos at the school, accessing pupil information and accessing official information. It is important to start discussions with governors to determine how you will demonstrate that you comply with the GDPR principles.
Budget and staff time
GDPR will have significant resource implications for budget and staff time, it is important to get the correct resource in place.
Your school or academy may need a Data Protection Officer (DPO). If you require a DPO it would be best to appoint or designate this responsibility as soon as possible. For some schools the requirement to have a DPO will be mandatory.
Internal audit
An internal audit will help you to understand what happens to personal data within a school or academy. This will then help to find the best ways to manage it without facing GDPR risks. Team meetings are vital in seeing what type of data is being collected currently, where it is stored and where it is destroyed.
Review policies and guidance
It is important to create and maintain an internal data protection policy. Similar to other legislation it should be written in plain English, simple and easy to follow.
Review and renew your data forms
It is important as a school or academy to refresh your pupil data including key contacts and next of kin, this is usually done at the start of each academic year. This is an ideal time to make sure your data capture is up to date and includes the new requirements.
Staff data protection training is imperative and schools will continue to be subject to an obligation to take organisational steps to keep personal data secure. It will also be important to have a training programme in place for new starters and training refreshers for long term members of staff.
The GDPR comes into place on the 25th May 2018, it is important for schools and academies to act fast and put the correct measures in place, before May. For further information on internal procedures and how GDPR could affect schools or academies please visit the Information Commissioner's office via this link: