Is your school ready for GDPR? Act now or face a hefty fine

The General Data Protection Regulation (GDPR) is almost upon us – and fines for non-compliance are alarmingly high, which is why schools need to ensure they are fully compliant.

The GDPR poses a number of challenges for schools relating to the ways in which they collect, store and handle any personal data they hold.

“These changes apply regardless of whether that data belongs to parents, employees or suppliers.

All schools must be able to demonstrate how they meet the GDPR’s new ‘Six Principles when using personal data.

The data must be:

  • Processed lawfully, fairly and in a transparent manner
  • Collected for a specific, explicit and legitimate purpose
  • Adequate, relevant and limited to what is necessary
  • Accurate and kept up to date
  • Kept for no longer than is necessary
  • Kept secure

It is important that schools review and record the data they hold, how they obtained it and what they use it for. Additionally, they will need to check how secure the data is, who has access to it and whether it has ever been transferred outside of the school.

As a minimum, schools need to contact any individuals on whom they hold data. These individuals should also be given access to a privacy notice.

Data relating to children will still require special consideration. Until now, the ICO (the UK independent body set up to uphold information rights) advised that children under 12 were not able to provide valid consent, and that for over 12s, consent should be determined on a case-by-case basis.

GDPR replaces the Data Protection Directive 1995 which does not refer at all to “children” or “age.” This means that GDPR does not provide hard and fast rules regarding an age at which a person is considered to be a child. Instead, it only refers to children as “vulnerable individuals” who are deserving of “specific protection.”

The rules governing the GDPR are complex and confusing. Falling foul of them can have drastic consequences for an organisation of any size, not only risking a substantial fine but damage to your school’s reputation.

If your school is not already fully prepared for GDPR, you should seek urgent advice regarding compliance, so please contact Michael Watts in our education team at or by phone on 020 8418 3350.