DfE Publishes GDPR Toolkit for Schools

Posted on 24 April 2018 in All news

If you work in a school and have not heard of the General Data Protection Regulation (GDPR); you must have been living on another planet!

Yesterday the DfE published a GDPR Toolkit for Schools – guidance which will help schools to develop policies and processes in preparation for the GDPR coming into force.

The new GDPR legislation is enforceable from 25 May 18 – only one month away – and schools are gearing up to make sure they are compliant, because breaking the rules can be costly to the school’s budget, and more importantly, their reputation.  GDPR isn’t normal ‘day-to-day’ business for schools, so they will have to adapt to make it commonplace, alongside all of the regular teaching and learning commitments that go on.

How will GDPR affect Schools?


Schools and Academies are bursting with data – whether it’s paper consent forms in filing cabinets, student and staff databases, text messaging, email and online payments services – even CCTV on the premises!  Regardless of how this information is stored, schools already have a duty of care (under current Data Protection Act legislation) to keep this information safe and secure – but GDPR will intensify this responsibility even further.

The Information Commissioners Office (ICO) have issued guidance, urging organisations to put GDPR policies in place, as non-compliance could result fines of up to £500,000.  In addition to any financial penalty, failure to comply could seriously impact your school’s Ofsted ratings.

What steps can your school take, to comply with GDPR?


Check third party suppliers and contracts – It is your responsibility as a school (the data controller) to make sure that any external parties that handle your school’s data are fully compliant with GDPR (e.g. messaging service providers like us, IT software suppliers, IT recyclers/asset disposal partners, catering companies, teaching agencies etc.)  This should also be documented in a formal SLA (for each supplier) outlining how the data is stored, handled and shared – as under GDPR, it will be illegal not to do so.

Data Protection Officer (DPO) – you will need to appoint a DPO,  who will have overall responsibility for all data handling in your school. The regulations around data handling are very detailed, so your DPO will need to be aware of the requirements, as well as being responsible for reporting any breaches within 72 hours.

Have an e-safety policy in place – Having a robust e-safety policy in place will make sure that all stakeholders linked to your school (both internally and externally) know how to stay GDPR compliant.  This will protect not only your staff and students, but it will keep safe, all the data that is held on the systems in your school.  (don’t forget, a cyber attack on your school’s IT network, viruses that infect your IT systems, or even the way your school’s IT hardware is disposed of, can all affect your GDPR compliance!)


Who within the School needs to think about GDPR?  


Senior leadership – Just as safeguarding is a school-wide priority (normally led by one of the senior leadership team), it is recommended that GDPR  follows the same approach. Someone within the senior team who has adequate resources and understanding to implement the legislation across the school.

All staff – GDPR could never be just the remit of one person – it’s important that the whole school is on board when it comes to data protection.  All staff should know about, and be trained in the GDPR so they understand the implications of their activity around the collection of personal data (e.g. even class teachers taking the class register)

  • Reporting a data breach: teachers must understand what constitutes a breach and, if they suspect a breach has occurred, report it to their DPO.
  • Introducing new systems: if teachers want to introduce a new piece of subject-specific software or use any new processing system there needs to be a clear process in place to inform the DPO and ensure it is done compliantly.


Data Protection Officer (DPO) – Under the new law schools must appoint a DPO; however, groups of schools or MATS are allowed to share a DPO.  Either way, whether the DPO is appointed internally or externally, they will need enough knowledge about the school to be able to properly advise.

External third parties – Any third party suppliers who handle a school’s data (e.g. messaging or payments providers) will have to have processing agreements in place.

What will happen on 25 May 2018?  


Subject Access Requests (SAR) – From 25 May, any data subject (that’s someone whose data the school holds) can exercise certain rights with regards to their data. This means that a parent could ask for a school to produce all data it currently holds on their child, or a job applicant could ask you to erase all their details. Schools are legally obliged to carry out these requests within 28 days of the request being given.

Reporting a breach – From 25 May, if schools are informed of a breach to someone’s personal data, they may be required to inform the ICO. Under serious circumstances schools may be required to inform the individuals whose data has been put at risk.

Fines/Penalties – The maximum fine for failing to comply with the new GDPR is €20m (around £17.7m) or 4 per cent of the organisation’s annual turnover (whichever is greater). Under the previous regulations, organisations such as the NHS and TalkTalk have received six-figure fines, although the consensus suggests schools will need to be seriously negligent to receive similar penalties.