GDPR support for schools

About GDPR

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) came into force on 25 May 2018.

Schools and settings must ensure their data processing activities are compliant with this legislation and must be able to demonstrate how they are meeting these requirements.

8 key tasks

We've compiled a list of 8 key tasks to help schools and settings be compliant.  

1. Appoint a Data Protection Officer (DPO). They are responsible for managing data protection day-to-day. Let all staff know who the DPO is.
2. Update the privacy notice page on your website to include details of how you use personal data. Include the address of the DPO so people know who to contact if they have data protection queries.
3. Create a central register of all the processes that use personal data in your school. Include the data location and who has access to it. For example, spreadsheets containing personal data.
4. Create a central register containing records of all data breaches. Include what happened, when it happened and if the incident was reported to the ICO.
5. Review your data protection policy/procedure. It should reflect the specific ways you use personal data in your school.
6. Review your paper documents and securely destroy documents that are no longer required. You should do the same for your digital information and delete what is no longer legitimately required.
7. Create a process for managing Subject Access Requests (SAR). Tell all staff and volunteers how to recognise a SAR and make sure they tell the DPO as soon as they identify a request.
8. Create training and awareness materials. Ensure you regularly train and raise data protection awareness among all staff.