The General Data Protection Regulation (GDPR) will come into effect in May 2018, and the ICO has advised all public bodies, including schools, to ensure they understand the regulation and prepare in advance for any action this may require in terms of data protection and information management policies and procedures.

The regulation will provide a single data protection framework for the EU. The Council of the European Union (the Council) believes that operating by one set of rules will prevent conflicting national data protection rules. The most impacted areas will likely be the management of IT infrastructure, communications and technology, and personnel records and the maintenance of documentation. 

According to the ICO, if you are already compliant with the current Data Protection Act (DPA), then most of your procedures will remain compliant under the GDPR; however, the new regulation does include new elements and enhancements that will require new and/or amended procedures in your school.

For instance, the GDPR will require organisations to review their approach to managing data protection, which may give rise to a need for a review of contracts and other data-sharing arrangements in place with other organisations.

As certain elements of the GDPR will affect different organisations to varying degrees, the ICO recommends mapping out the part of the GDPR which will have the greatest impact on your school and planning accordingly.


The main elements presented in the GDPR affecting schools



New elements in the GDPR


  • The accountability principle requires organisations to be able to prove their compliance with data protection principles, by having effective policies and procedures in place.


  • Additional requirements for the content of privacy notices, such as details of your legal basis for processing the data, your data retention periods and stating that individuals have the right to complain to the ICO if they have issues with your handling of their data.
  • Information in privacy notices must be provided in concise, easy-to-understand, clear language.

Individuals’ rights

  • A new right to ‘data portability’ (an enhanced form of subject access) has been added to the list of individuals’ rights, meaning you have to provide data in a commonly used, electronic format.
  • The main rights for individuals under the GDPR which you must uphold now include: subject access; to have inaccuracies corrected; to have information erased; to prevent direct marketing; and data portability.

Subject access

  • The timeframe in which to comply with subject access requests (SARs) has been reduced from 40 days to one month.
  • The grounds for refusing to comply with a SAR will be different – you must have policies and procedures in place to demonstrate how any request refusal meets the criteria.
  • Unfounded or excessive SARs can be charged or refused.
  • Additional information will need to be provided for those making SARs, including your data retention period and the right to have inaccurate data corrected.

Legal basis

  • Your legal basis for processing personal data must be explained in privacy notices.


  • Data controllers must be able to demonstrate that consent was given, where necessary.
  • Consent has to be a positive indication of agreement to personal data being processed, i.e. not inferred from silence, inactivity or pre-ticked boxes.


  • Special protection is given for children’s personal data – you will need the consent of a parent/guardian to lawfully process a child’s data, unless that child is over the age of 13, then they are able to give the consent themselves in certain circumstances.
  • Privacy notices for collecting children’s data must be written in a language that children will understand.

Data breaches

  • A breach notification duty will apply to all organisations.
  • All breaches that are likely to cause an individual to suffer some form of damage, such as identity theft or a confidentiality breach, will have to be reported to the ICO within 72 hours.
  • A failure to report a breach could result in a fine, as well as a fine for the breach itself.

Data protection by design and impact assessments

  • Adopting a ‘privacy by design approach’ and carrying out a data protection impact assessment (DPIA) will be an express legal requirement, rather than just good practice.

Data protection officers (DPOs)

  • Some organisations, including public authorities and those carrying out regular and systematic monitoring of data subjects on a large scale, will be required to appoint a DPO.


11 steps to prepare for the GDPR


If you leave your preparation until the last minute, you may find it difficult to become compliant in time for the GDPR coming into effect. The ICO recommends taking the following steps in preparation for the implementation of the GDPR.






Make decision-makers and relevant staff aware of the law change, in a way that allows them to appreciate the impact it will have.


Information held

Create a record of what personal data you hold, where it came from and who you share it with, as it may be necessary to organise an information audit.


Communicate privacy information

Review your privacy notices and draw up a plan to make any necessary amendments in time for the GDPR coming into effect.


Individuals’ rights

Ensure your procedures cover all the rights of individuals, including for the deletion of personal data and data portability.



Update your procedures and draw up a plan for handling requests within new timescales and providing additional information.


Processing personal data: legal basis

Identify your legal basis for carrying out the types of data processing that you carry out and document the rationale. You may need to think about how the changes to individuals’ rights may affect your legal basis, for instance, data subjects have a stronger right to have their data deleted if your legal basis is consent.  



Review your procedures for obtaining consent, bearing in mind whether you will need to make any changes.



Consider implementing systems to verify individuals’ ages and to gather parental/guardian consent for processing children’s data.


Data breaches

Ensure you have implemented the correct procedures for detecting, reporting and investigating personal data breaches.


Data protection by design and data protection impact arrangements

Using the ICO’s guidance on DPIAs, work out how and when to implement them in your school.



Appoint a designated Data Protection Officer, if necessary, or assign someone the responsibility for data protection compliance, and assess where within your school’s structure it is appropriate for someone to take on this role.




ICO (2016) ‘Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now’

ICO (2016) ‘Overview of the General Data Protection Regulation (GDPR)’ <> [Accessed: 2 August 2016]