Schools have their own special set of challenges when preparing for GDPR and imminent EU rules will radically change the way all organisations have to look after personal data.

From school photos to pupils’ grades, schools handle a large amount of data in the form of paper records, electronic files or software systems. At the same time, they have a duty to protect the privacy of students, families, staff, governors and job applicants.

Identify a data protection expert

The new regulation will apply from 25th May, so it’s essential that schools are ready. If they haven’t already done so, one of the first steps for schools, like other organisations, is to appoint a Data Protection Officer. Either a member of staff or someone from an outside organisation, this person must understand GDPR and will take responsibility for the security of the school’s data.

The data protection officer, alongside other key senior members of staff, needs to be well-versed in the implications of GDPR – including its six principles – not least to understand the potential financial costs to the school if a data breach occurs.

A substantial amount of work needs to go in to auditing and making sure there are sufficient processes, policies and training in place in order to remain compliant when the new rules come into play.

All staff must be informed

All school staff should receive adequate data protection training as part of the process of being compliant with GDPR. The rules emphasise the need to demonstrate compliance and provide evidence.

Data protection training should be ongoing, with regular refreshers for staff. New starters should receive training before they have access to personal data.

What is a breach?

One particularly important aspect of staff training is to teach them how to identify a data breach. In a school setting, there are many ways that a breach could occur.

Many data breaches identified by the Information Commissioner’s Office (ICO) in schools in the past have combined human error with inadequate policies.

In one instance, pupil personal data was found at a printer by another student. In another, a text message about a pupil’s behaviour meant for their parents, was sent to all parents in error. In yet other breaches, letters and emails which contain sensitive pupil information have been sent to the wrong parents.

Imagine the consequences, if details about a pupil’s risk of harm fell into the wrong hands? It could put the vulnerable child at even greater risk or could potentially jeopardise legal proceedings if the incident was subject to criminal investigation.

Under GDPR, data breaches can lead to fines of up to 20million euros or 4% of a company’s turnover. Other consequences might include a loss of confidence in the school, and reputational damage to the individuals involved and the leadership team.

Then there are issues involving IT. For example, what happens if staff replace hardware in the school? Does the school have a policy, maybe through the local authority, for disposing old computers responsibly? Can they be sure that those computers are destroyed appropriately, and the data will be put beyond accessibility?

Alternatively, do staff members take work home? How do they do this? Do they leave sensitive paper work in the car whilst stopping on the way home to the supermarket? Do they transfer sensitive personal data about pupils onto memory sticks to enable them to work from at home? How does a school ensure that this data isn’t then lost or stolen, or even kept unnecessarily on a teacher’s home machine? All these things need to be considered.

Some electronic record keeping systems are accessible from any internet enabled device which should prevent this from happening, and schools , may need to consider such options to reduce the risk of a data breach.

It is essential to establish good IT practices. This means ensuring computers are up-to-date and have anti-virus software installed, which is patched on a regular basis. It means a firewall is needed in a school’s network, and members of that network have been audited.

Know how to respond

Schools must consider: if a data breach occurs, do the school staff know how to report it, or are they just going to brush it under the carpet? Do they know where to go; is the process simple? Do they have to trek from one side of the school to the other to get a paper form to fill out, or can they simply send an email to the data protection officer? Those are all important considerations for schools.

Staff in schools should also be aware of what plans are in place to respond to data breaches. The ability to refer to a checklist should make crisis management a lot more straightforward. It also demonstrates to the ICO that schools are committed to doing the right thing – even if something goes wrong, they can demonstrate good practice.

The clock is ticking until 25th May, so now is the time for schools to ensure their staff are prepared.


By Darryl Morton, Director of Operations & Security, One Team Logic