GDPR (General Data Protection Regulations)


GDPR or General Data Protection Regulation comes into effect on 25th May 2018 to replace the existing Data Protection in use in this country and across Europe.   Recognising the weaknesses in the original data protection approach, partly due to emerging criminality, new technology such as smart phones and the impact of social media, ''Europe'' decided that the whole process needed changing and strengthening.  Additionally, it had to be a standard across all 28 European countries.

Rather than letting each individual country interpret the original act and adopt their own legislation, it has become a universal ''Regulation'' so that there were no doubts  and no exclusions, so everybody within Europe could exchange data knowing that there was a common methodology controlling the privacy of the individual.  The main function is that you have to keep your data safely within the jurisdiction of European Courts.

How does this affect us?

Schools handle a large amount of personal data.  This includes information on pupils, such as educational achievement, medical information, photographs and much more.  Schools will also hold data on staff, governors, volunteers and job applicants.  Additionally, schools handle what the GDPR refers to as special category data, which is subject to tighter controls.  This could be race, ethnic origin or even trade union membership.

Personal data is already governed by existing data protection regulations, which ensures personal data is handled lawfully.  However, the new GDPR has gone further and requires organisations to document how and why they process all personal data, and gives enhanced rights to individuals.  Effectively, the GDPR has taken the previous regime, built on it and modernised it for the current technological and societal environment.

In terms of schools, and the education sector, there's going to be much more of a focus on data protection.  In particular, this will be emphasised by decisions made by the senior leadership team when reviewing policies and brining in new technology.  The most significant difference between existing data protection and GDPR is the necessity to be able to prove compliance.

Who will this impact?

In simple terms, EVERYONE.  In order for any school to obtain compliance, there is a need for full support by all staff, leaders, governors, parents and all third party partners.  GDPR will impact on everything in some small way.  Like safeguarding, this is a school wide priority, led by the senior leadership team.  With training and support, all day to day activities identified can be adjusted to ensure that appropriate data protection becomes second nature to all.

Next steps...

  • Revised privacy notices sent to all parents and staff
  • Revisions made to school data protection policy
  • Newly worded consent forms to parents
  • Collation of third party compliance from school business partners
  • Completion of information audit in school to ensure we manage data in line with guidelines

How do we ensure we get this right?

 The school will be required to employ a DPO (data protection officer).  It is their responsibility to ensure that we are making every effort to be compliant with the regulations.  That we communicate a clear message to all and that this is adhered to.  The school must risk assess what is or is not within the scope of compliance and all parties MUST be prepared to follow protocols which schools sets. 


Our schools DPO is Mrs J Cameron.  If you have any concerns in relation to data protection or wish to make a subject access request, then this must be done in writing to