A Guide to GDPR Compliance in Schools

GDPR, or General Data Protection Regulations, were first brought into effect in 2018 as a replacement for the 1995 Data Protection Directive.

GDPR is a European Union (EU) law comprised of a set of rules that make up the world’s strongest data protection effort, giving advanced rights and protection to personal information. It marked a significant turning point in altering how both public and private bodies handle personal information.

For businesses and organisations that fail to meet GDPR regulations, there is the potential for large fines and reputational damage which, for schools, can have a devastating impact. 

Schools are responsible for a significant amount of data, for students, teachers and wider stakeholders. One of the biggest challenges for schools when it comes to GDPR is tackling the financial and resource-driven implications of overhauling existing practices for handling personal data.

GDPR has led to a requirement for schools to take greater accountability over the data they collect. It’s vital that schools have a solid understanding of the policies and practices around managing personal data, and how GDPR rules and regulations may differ from those prior to its introduction.

If any form of data collection is undertaken that is considered outside of normal school procedures, it must be done with full consent from the individuals involved. This is especially true if any data is handled by a third party. Schools must also ensure that any third-party suppliers they work with are also fully GDPR compliant and a contract is in place.

GDPR compliance requires schools to undergo a number of important steps to avoid breaches in data security. Firstly, schools need to be aware of the GDPR legal framework and understand the legislation in place and its implications if required standards are not met.

Secondly, schools are obligated to document and review all of the personal information they hold on file for staff, pupils and wider stakeholders such as parents and governors. All data should be audited, organised and stored in a way that meets GDPR standards.

All staff need to be aware of GDPR rules and regulations, and regular awareness training should be undertaken with all staff, with more specific training for staff at more senior levels of responsibility.

Schools also must ensure that they have systems in place to gather parental consent for data processing, and have full transparency on which forms of software are being used for teaching and data collection and their GDPR compliance.

Schools must ensure that students and those with parental responsibility have the right to access and review information that the school stores on them and that data is only collected when necessary and appropriate.

As schools are classified as a public authority, part of GDPR legislation states that there is a lawful requirement to employ or assign a Data Protection Officer who is responsible for any GDPR compliance and data protection.

There are two main roles when it comes to GDPR compliance in schools – the data processor and the data controller.

Data controllers are typically the educational institute and are responsible for:

• Determining whose information to collect, what type of data to collect and why
• Whether the information will be shared with a third party and if so, which ones
• When and where data subjects’ rights apply
• How long data is stored
• Any non-routine amendments to data.

Data processors on the other hand are the people or organisations responsible for collecting data. They are primarily responsible for:

• Overseeing data processing
• Storing data securely
• Implementing controls for personal data transfer
• Ensuring the adherence to a retention schedule
• Disposing of sensitive data

Everyone at the school has a role to play in data protection. The school’s leadership team are responsible for the school’s data protection activities to meet requirements. They also must ensure the rest of the staff know how to handle personal data.

The designated Data Protection Officer is responsible for checking the school’s practices around data handling and advising on how to improve data protection where appropriate.

The wider school team must understand and follow policies and procedures when handling personal data and each member of staff must have some form of training.

GDPR compliance is key to preventing data breaches and leaks and protecting the safety and security of pupils, staff and stakeholders. If a school is not GDPR compliant, they risk a number of serious implications, including fines, warnings and reprimands, bans on data processing and restriction or erasure of data.

To ensure a school is adhering to GDPR legislation, they should:

• Make sure senior management understands the importance and impact of UK GDPR.
• Carry out annual information audits to understand the data you hold, where it is stored, who it is shared with, how long it is kept and how it is processed.
• Deliver regular training to staff and governors.
• Review, update and create policies and procedures that align with any UK GDPR changes.
• Appoint a Data Protection Officer, either in-house or an external contractor, with sound knowledge of data protection laws and practices who is able to carry out the tasks set out in Article 39 of the GDPR.

CHG provides data erasure for assets leased meaning that if you lease your equipment from us, we can assist with your data erasure requirements, this can also be done on-site if needed. For more information see our sustainable IT solutions for the education sector.

Get in touch today to find out more.