Finance and data

General Data Protection Regulations (GDPR)

On 25 May 2018, the existing 1998 Data Protection Act (DPA) was replaced by the new Data Protection Act 2017, also known as the General Data Protection Regulation or GDPR – meaning that the way you manage all personal data and information within your school may have to change.

These changes will impact any organisation handling data.

As schools are data controllers they are required to comply so it is important that governors and trustees begin to consider any potential impact.

The GDPR apply to all personal data collected by an organisation.

Be prepared for the changes to the GDPR in May 2018 (pdf)

General Data Protection Regulations (GDPR): LGfL provide discount to compliance tools

Guidance for schools

LGfL resource centre - GDPR

DfE - GDPR guidance for schools

The regulator for the Data Protection Act 1998, the Information Commissioners Office (ICO) has produced guidance notes for education settings:
ICO website for education settings

They haves also produced a webinar discussing how the ICO will help schools with GDPR compliance:
Webinar - data protection for the education sector

Is your school on the ICO register

Please note all data controllers - including schools - should be on the ICO’s register of data controllers.

By visiting the register, you can confirm if your school is listed on it:

The ICO register

Changes that took place from May 2018

The GDPR regulates the way organisations can handle personal data, of teachers, pupils and parents/carers.

There are some important changes:

  • Schools will need to be able to identify that they have a legitimate reason for processing personal data. In addition, as public sector organisations, schools will not be able to rely on “consent” by the individual data subject.
  • People have a number of new rights under the GDPR and schools will need to be able to deliver against these rights. Some of these new rights should be relatively simply to deliver. Others may require new processes or even new technology.
  • Schools will have to appoint an independent data protection officer (DPO) with appropriate skills and knowledge; however potentially the DPO can be shared across several schools.
  • There are enhanced requirements around the security of personal data – and enhanced fines for allowing breaches.
  • Compliance with the new rules will not be sufficient: you will also have to demonstrate compliance.
Was this page useful? 
Last updated: 01 Aug 2023