General Data Protection Regulations (GDPR)

In May 2018 the current Data Protection Act will be replaced by the GDPR.

These changes will impact any organisation handling data.

As schools are data controllers they are required to comply so it is important that governors and trustees begin to consider any potential impact.

The GDPR apply to all personal data collected by an organisation.

Be prepared for the changes to the GDPR in May 2018 (pdf)

General Data Protection Regulations (GDPR): LGfL provide discount to compliance tools

Guidance for schools

LGfL resource centre - GDPR

DfE - GDPR guidance for schools

The regulator for the Data Protection Act 1998, the Information Commissioners Office (ICO) has produced guidance notes for education settings:
ICO website for education settings

They haves also produced a webinar discussing how the ICO will help schools with GDPR compliance:
Webinar - data protection for the education sector

Is your school on the ICO register

Please note all data controllers - including schools - should be on the ICO’s register of data controllers.

By visiting the register, you can confirm if your school is listed on it:

The ICO register

Changes from May 2018

The GDPR regulates the way organisations can handle personal data, of teachers, pupils and parents/carers.

There are some important changes:

  • Schools will need to be able to identify that they have a legitimate reason for processing personal data. In addition, as public sector organisations, schools will not be able to rely on “consent” by the individual data subject.
  • People have a number of new rights under the GDPR and schools will need to be able to deliver against these rights. Some of these new rights should be relatively simply to deliver. Others may require new processes or even new technology.
  • Schools will have to appoint an independent data protection officer (DPO) with appropriate skills and knowledge; however potentially the DPO can be shared across several schools.
  • There are enhanced requirements around the security of personal data – and enhanced fines for allowing breaches.
  • Compliance with the new rules will not be sufficient: you will also have to demonstrate compliance.

Basic tips to keep your school website safer from hacking

Schools have occasionally found their school website hacked.

Sometimes minor changes are made, other times the whole site is replaced by something else.

The motive is usually either for no particular reason or to promote a point of view or message.

Here is a reminder of good practice to ensure good levels of security on your website in light of increasing cyber-attacks.

Ensure software used to make the website is up to date

This applies to both the hosting server operating system and any software that is run on your website such as a CMS (content management system, eg: Joomla) or forum.

When website security holes are found in software, hackers are quick to attempt to abuse them.

If you are using a managed hosting solution, the sort where a small number of people log in to change various elements of your website, then you should not need to worry so much about applying security updates for the operating system as the hosting company should take care of this for you, but it is worth checking with your web company.

If you are using third-party software on your website such as a content management system (CMS) or forum, you should ensure you are quick to apply any security patches.

Use strong passwords

Make sure you use complex passwords (eg: W1g2N1avmm = When I go to Nottingham I always visit my mum) especially to your server and website admin area, but equally also important to insist on good password protection practices for all users.


If your website contains within it any personal data that is accessed by certain people then HTTPS is a protocol used to provide security over the internet.

HTTPS guarantees to users that they are communicating with the server they expect, and that their content is not being intercepted / changed in transit.

If your site is hacked?

In the event of a cyber-attack or your website being hacked you will need to liaise with both your web design company and the hosting company (they might be the same people but could be different).

You should also notify Ealing Council.

Was this page useful? 
Last updated: 15 Nov 2019