Are you ready for GDPR?

Written by: Steve Baines | Published:
Image: Adobe Stock

The General Data Protection Regulation – GDPR – comes into effect on May 25. Steve Baines discusses how schools can prepare

The General Data Protection Regulation (GDPR) is replacing the previous Data Protection Act (1998) and is being introduced to tighten up security surrounding the way personal data is being handled. The new GDPR will be mandatory from May 25 onwards, making now the perfect time to ensure your school is ready for the new changes.

The GDPR will give schools greater responsibility for their data and it will also ensure that individuals have more control over their own personal data. However, with this comes requirements that your school must adhere to in order to become compliant:

  • You must appoint a Data Protection Officer and this person must have experience and knowledge of data protection law so that they can ensure the school is GDPR-compliant and following the correct requirements.
  • You must ensure that your school’s third party suppliers who have access to any of your data are also GDPR-compliant and you must have legal contracts with any company that processes personal data. These contracts must cover exactly what data is being used, who it is being used by, who has access to it and how it is being protected.
  • Opt-in consent must be given to anything that isn’t within the normal business of the school, especially if it involves a third party using the data. Parents (or the pupil depending on their age) must give their consent for the use of personal data outside of the everyday business of the school and also for use of photographs, such as on your website or social media.
  • It is essential that all data breaches that are likely to have a significant detrimental effect on the individual are reported to the Information Commissioner’s Office (ICO) within 72 hours.

There is no reason for you to worry if your school already has strong data protection in place, as GDPR is just a way of further enhancing the way you manage personal data. Your pupils and their parents have always had the right of access to their data and GDPR makes it even easier for them to request it. However, a major change with GDPR is that individuals now have the right for their data to be forgotten and you will need clear retention policies to ensure you comply with this new aspect.

What can you do now?

There’s still a lot of time for your school to prepare for GDPR, but May 25 will come round quickly. There’s plenty for your school to be getting on with in the meantime to avoid having to plan last minute:

  • Take the time to train the senior management team and ensure staff members are fully aware of GDPR and its potential impact. All your staff should be trained according to their responsibilities and roles. For example, you should set up general GDPR training for all staff as well as offering more in-depth training for staff with more responsibility.
  • Spend some time reviewing all of the personal data you currently hold – including data for pupils, staff, parents, suppliers and governors – which needs to be organised and stored in an audit.
  • It is important that you identify all software that you currently use in your school, including all apps downloaded by teachers in their classrooms. You and your school must know exactly what is being used, for what purpose it is being used and you must also understand what personal data is being processed on all software. Failing to comply with this could lead to a breach of GDPR and you could face enforcement action from the ICO, resulting in negative publicity for your school, or even a fine if the breach is serious enough.
  • You should start to consider your Data Protection Officer. This person will be responsible for advising you on GDPR and ensuring you are compliant with all requirements. You will need to consider who you appoint carefully as they have to report to the highest level of management and cannot have any conflicts of interest.


It is still not 100 per cent certain exactly how GDPR will affect schools and no specific guidance for education has been produced. However, if schools put into place general best practices then they will be well placed when the changes come into effect. 

Further information

  • General Data Protection Regulation: Evolution or Revolution for Schools? The DfE Teaching Blog, October 2017:
  • Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now, Information Commissioner’s Office:

This material is protected by MA Education Limited copyright.
See Terms and Conditions.


Please view our Terms and Conditions before leaving a comment.

Change the CAPTCHA codeSpeak the CAPTCHA code
Sign up Headteacher update Bulletin
About Us

Headteacher Update is the only magazine delivered directly to every primary school headteacher in the UK. It is published six times a year, at the beginning of each term and half-term, to keep headteachers up-to-date with everything going on in primary education.

Learn more about Headteacher update


Register to receive regular updates on primary education news delivered free to your inbox.