The GDPR came into effect in May 2018. This blog from Keystone Knowledge reflects on what the GDPR means for schools and why it should still be a priority four years on from the initial implementation. 

The General Data Protection Regulation (GDPR) is a regulation within the EU and the European Economic Area that aims to protect how personal data is stored and processed. The GDPR first became law in the UK in May 2018, then following Brexit it was replaced by the UK GDPR in January 2020. Alongside the Data Protection Act 2018 and other legislation, the UK GDPR governs all processing of personal data from individuals located inside the UK.

The UK GDPR is far-reaching with significant implications for non-compliance. At the same time, the wording in parts is vague and open for interpretation. Although it was introduced in 2018, the UK GDPR still causes confusion and worry.

This article summarises the key issues of the UK GDPR and how it affects your school.

The UK GDPR in schools

As schools mainly deal with pupil’s data, you must be extra vigilant in your data management. Despite this, it can be difficult to find the right assistance to help you to navigate your responsibilities.

While additional regulations can feel like more hoops to jump through, they can also be beneficial. Our philosophy at Keystone Knowledge is that schools are actually very good with managing data in almost all cases. We know that schools already place immense importance on managing data confidentially and recognise the sensitivity of the data that they hold. The UK GDPR limits the amount of data that schools can collect to only what is strictly necessary. This can help to prevent your SLT from becoming bogged down in superfluous details and see the real trends and issues.

One of the biggest points of confusion and concern when the UK GDPR was first implemented was that you cannot process data without consent – this is not the case. For some data, you do need consent; however, there are other lawful bases you can rely on to process data, e.g. public task. In schools, there are many reasons why you need to handle data, such as attendance, pupils’ medical information, exam results or timetables, but you must make sure that any information gathered is ‘proportionate to the legitimate aim pursued’.

Whilst schools are generally good at data management, sometimes things can be overlooked, or mistakes can happen. That’s where a good DPO service can support you throughout the year with ongoing improvements to the way you work, training and guidance when you have issues that arise.

 What steps can you take to secure your data?

One of the most vital steps of compliance with the UK GDPR is to keep any data that you are holding safe and secure. Although this will protect you from potential fines and scrutiny, it will also help to safeguard your pupils. All children have a right to privacy and a right to be safe, both in school and out of it. It’s easy to see how dangerous it could potentially be if pupils’ names, addresses or timetables were to become public knowledge.

You should aim to protect your files, both paper and digital, with a level of security that reflects how sensitive the data is. For example, names, dates of birth and National Insurance numbers should have the highest level of security, whereas anonymised survey results may need less stringent protection.

Some simple ways to increase your data security are using strong, random passwords, turning on two-factor authentication and encrypting digital copies of personal information. 

What steps can you take to stay compliant?

Conduct a data protection audit

Using a trusted auditor will provide a comprehensive overview of how well your school or MAT complies with your data protection obligations, as well as identifying possible risks and recommending ways you can move towards best practice. Your audit should cover areas such as your policies and procedures (for both electronic and manual records), provision of staff training, organisational awareness of the UK GDPR and the systems in place to ensure the security of all the information held.

Appoint a DPO

A data protection officer is the person responsible for monitoring how well your school or MAT complies with the UK GDPR. They should be an expert with extensive knowledge of the UK GDPR, both in theory and in practice, and the school’s operations, technology and security. It is their responsibility to ensure that your school’s data, data processing and the systems that support them are compliant and will protect against possible breaches, while striving toward good practice.

Although it can be beneficial to appoint an external DPO to avoid a conflict of interest, they must know how your school or MAT runs.

Give staff adequate training

Maintaining a high level of data security is achievable, but it might require some additional training to get everyone on the same page. In addition to giving them the tools needed to fulfil their obligations, training can help your staff to feel more confident in answering difficult questions without revealing too much.

Raise awareness

Although a DPO can manage many of the obligations needed to stay compliant with the UK GDPR, it is the responsibility of everyone in your school to be aware of the essential dos and don'ts.

It’s not uncommon to hear of serious data breaches that have occurred due to human error (e.g. clicking ‘reply all’ and sending confidential information to a whole cohort!). Indeed, Keystone’s DPO service has offered support to schools which have done just this in the last few weeks. Keeping data security at the forefront of your staff’s minds can help prevent these slip-ups and can pave the way for greater efficiencies and improved processes.

Add a privacy notice

Most websites you see now have a ‘privacy notice’ button in their footer. It may not be the most visited page on the website, but it does serve a vital purpose. A privacy policy document explains to staff, parents, and the public how the school collects, processes and stores data. Your privacy notice should be concise, transparent, and written in simple English. The UK GDPR lays out exactly what information you should include in your privacy notice, which includes the contact details of the DPO and school, the purpose and legal basis of processing an individual’s data and the interest of the school. We recommend that you have an accessible privacy notice specifically for your pupils that explains what you’re doing with their data. Keystone can provide template policies which can be tailored to your own organisation as part of our DPO service.

If you are looking to appoint an external DPO, Keystone Knowledge offers a DPO retainer service. This includes a named DPO, policy reviews, a GDPR audit, training for staff, governors, and trustees, and data protection impact assessments (DPIA). Our friendly, experienced team will work with you to guarantee that you are compliant with GDPR while working towards best practice. 

For more information, visit our website at or email us at