GDPR support for schools

About GDPR

The General Data Protection Regulation (GDPR) comes into force on 25 May 2018, replacing the existing Data Protection Act (DPA). The GDPR is not a complete overhaul of the existing legislation. The core principles remain largely the same with a few key updates designed to reflect the changes in how we use personal data since the original DPA was written back in 1998. With these updates to the law come new requirements for data controllers and processors in terms of protecting people’s personal data and respecting their rights.

8 key tasks

With these key changes in mind, HLT is using a framework of 8 key tasks to complete in order to ensure your compliance with the GDPR. While we are working toward the enforcement date of 25 May, it is worth stating that this date is not a cliff edge that schools will fall off if they are not 100% compliant – schools must, however, be able to demonstrate their awareness of the new requirements and their plans to satisfy them.

The 8 key tasks to complete are as follows:

  1. Appoint a DPO
  2. Complete an Information Asset Register and information audit
  3. Review and update your Privacy Notice
  4. Review and update arrangements with 3rd party data processors
  5. Review and develop internal procedures and policies
  6. Review your Subject Access procedures
  7. Review your data breach management procedures
  8. Embed Privacy by Design in your school

Further information

To support schools with this we will be issuing a series of 8 written guidance notes in the next few months, supported by tools and template documentation. Some examples being:


Sean O’Regan, Freedom of Information and Data Protection Officer

020 8820 7382