May 2022 marked four years since the General Data Protection Regulation (GDPR) was made law. The GDPR completely overhauled data protection across the EU, including the UK.

Now, four years on, we’re reflecting on the impact of the GDPR in schools, exploring your experiences and our own insights from implementation up until now.  

Preparing for implementation

The GDPR was adopted in 2016 after passing European Parliament, but it was not enforced until 25 May 2018 – this meant organisations, including schools, had two years to prepare for the implementation of the GDPR.

The changes that were to be brought about under the GDPR were significant. Some of the main elements that affected schools were:

  • Accountability – schools needed to prove their compliance with data protection principles by having effective policies and procedures in place.
  • Privacy – new requirements on information that must be included in privacy notices were introduced.
  • Subject access – the timeframe to comply with subject access requests was reduced to a month.
  • Legal bases – schools needed to explain their legal basis for processing data in their privacy notices.
  • Consent – stronger rules in relation to consent for processing data, where it was required, were introduced.
  • Data protection officers (DPOs) – schools needed to appoint a DPO.

There was a vast amount of detailed and complex information for schools to digest – then they had to make sure they had the policies, procedures and measures in place to be compliant. On top of this, there was the added pressure of increased accountability and the consequences of getting data protection wrong, as failure to comply could have resulted in fines from the Information Commissioner’s Office (ICO).

Here at Hub4Leaders, we saw the impact preparing for the implementation of the GDPR had on schools. This was extremely noticeable through the questions our members were asking us via our ‘Need Further Help?’ service.

Our ‘Need Further Help?’ service, which member schools can use to ask us questions and request documents, often gives us a good indicator of the key challenges schools are facing at a certain time. As schools prepared for the GDPR, we saw a huge influx of requests to clarify the requirements and to create policies and templates to aid in becoming compliant with the regulations. We first got asked about the GDPR back in April 2016, when the regulations passed European Parliament. From this point, we had a steady stream of members coming to us to provide clarity and compliant resources. This hit a peak in 2018 – the implementation year – where we had 185 GDPR-related requests: across the year, this accounted for 30 percent of our ‘Need Further Help?’ requests.

You can see below how requests relating to the GDPR played out over 2018, peaking as we got closer to the implementation date in May.


In May this year, we launched a survey to ask schools about their experiences of the GDPR. One question asked how challenging it was to meet the requirements of the GDPR back in 2018. 73 percent of respondents said that their school found it either somewhat challenging or very challenging. We received mixed responses when we asked schools to choose what the biggest challenge to achieving compliance was. 24 percent of respondents said that ensuring relevant individuals, e.g. staff and governors, followed the requirements was the biggest challenge, followed by understanding how to comply with the requirements (20 percent).

Transition to the UK GDPR

During the process of Brexit, there were discussions around how the GDPR would apply after the UK left the EU. It was decided that the GDPR would be retained in domestic law as the UK GDPR – this came into force on 1 January 2021. There were no significant changes made to the legislation beyond changes to accommodate domestic areas of law.

Within our survey responses, there was a pretty even split in terms of how confident people felt in understanding the changes between the GDPR and the UK GDPR. 46 percent said they were ‘very confident’ or ‘somewhat confident’ in understanding the changes, while 49 percent said they were ‘not so confident’ or ‘not at all confident’.

The current situation

Four years after the enforcement of the GDPR, it’s clear that schools are much more confident in how to ensure compliance with the regulations.

78 percent of our survey respondents reported that they are ‘very confident’ or ‘somewhat confident’ that their school is compliant with the UK GDPR now. Requests to our ‘Need Further Help?’ service also indicate that schools are comfortable with the requirements – in 2021, we received only 16 data protection-related requests, and we have not had any so far in 2022.

It does seem, however, that the GDPR and data protection throws up challenges for schools to this day. 63 percent of our survey respondents said that they ‘sometimes’ or ‘often’ face challenges with complying to the GDPR now, while only 6 percent said they ‘never’ face challenges to compliance.

Changes in the future

There are some changes to the UK’s data protection regime on the horizon that schools need to be aware of.

In the Queen’s speech to Parliament, which was delivered this May, it was announced that the UK’s data protection regime will be reformed via the Data Reform Bill. The aim of the reforms would be to reduce burdens and improve the clarity of current data protection legislation, i.e. the UK GDPR and Data Protection Act 2018.

The full text of the Bill has not yet been published, but briefing papers published following the Queen’s speech detailed some of the key elements of the Bill:

  • Ensuring that UK citizens’ personal data is protected to a gold standard while enabling public bodies to share data to improve the delivery of services
  • Using data and reforming regulations to improve the everyday lives of people in the UK
  • Designing a more flexible, outcomes-focussed approach to data protection that helps create a culture of data protection, rather than ‘tick box’ exercises

We can also look to the consultation that was launched back in September 2021 on reforms to the UK’s data protection regime to find out the main proposals schools should be aware of, including:

  • Getting rid of the current accountability framework and replacing it with a more flexible framework based on privacy management programmes.
  • Removing the requirement for organisations to appoint a DPO.
  • Removing the requirement for organisations to undertake a data protection impact assessment (DPIA), so that organisations can adopt different approaches to identifying and minimising data protection risks that better reflect their circumstances.
  • Changing the threshold for reporting a data breach to the ICO with the aim of addressing over-reporting.
  • Introducing a fee regime for subject access requests.
  • Introducing a new, statutory framework that sets out the strategic objectives and duties that the ICO must fulfil when exercising its functions.

Feedback on the consultation is currently still being analysed. While these are just proposals made during a consultation, it does give an indication of what could be included in the finalised Data Reform Bill.

The potential contents of the Bill does not seem to represent a huge overhaul in the UK’s data protection regime, so the impact on schools is unlikely to be as significant as when the GDPR was enforced in 2018. It is likely, however, that schools will still need to review their data protection policies and procedures to ensure compliance with the new Bill.

Staying informed and compliant

Back in 2018, resources on TheSchoolBus were at the forefront of helping schools to prepare for the implementation of the GDPR. This support did not stop after implementation – we continued to answer questions and create resources aimed at ensuring schools remained compliant with data protection legislation. We didn’t stop there – to this day, TheSchoolBus offers well over 100 resources aimed at making sure you’re compliant with data protection requirements.

We’re also keeping a close eye on the progress of the Data Reform Bill through Parliament and will make sure you’re fully up-to-date with the latest updates, and our resources will be updated to reflect any changes in law or guidance.

If you’re not a member of TheSchoolBus yet, click here to take out a free trial and find out how we can give you peace of mind.


Department for Digital, Culture Media & Sport (2021) ‘Data: A new direction’

ICO (n.d.) ‘The UK GDPR’ <> [Accessed: 27 May 2022]

Findings from our GDPR in Schools Survey are based on the 65 responses to the survey.