Data Protection - preparing for change

17 November 2016

Schools need to take note of the fact that the General Data Protection Regulation (GDPR) will come into force on 25 May 2018. On that date, data protection law will change consistently in all EU states but the UK’s referendum on membership of the EU will have no short-term effect.

The GDPR will replace the Data Protection Act 1998. Many of the broad concepts in present data protection law will survive. The next 18 months seems a long time but it is by no means too early to make preparations.

Although not a summary of all significant aspects of the GDPR, the matters we believe are of immediate importance to schools include:

  • the requirement that privacy (data protection) must be embedded “by design and by default” in all activities that involve the “processing” of personal data – whether that data relates to school employees, trustees, pupils and their parents or individuals outside the school. You must build in compliance on a risk-basis as a cornerstone of all you do;
  • the need for data protection audits, staff (and even pupil) training policies and “privacy impact assessments” to be carried out in connection with all new data processing activities;
  • regulatory penalties for non-compliance will increase from a present maximum of £500,000 to potentially €20 million or 4% of your previous year’s turnover. The Information Commissioner’s Office (ICO) will have enhanced investigatory and enforcement powers;
  • the GDPR will finally put it beyond doubt that consent to process data must in all cases be unambiguous and indicated by clear affirmative action. Consent cannot be implied or assumed;
  • if a security breach takes place and data enters the public domain, the school will be under an obligation to disclose it to the ICO within 72 hours.

Our broad recommendations for compliance are as follows:

  • be aware of all the main changes and understand how they will affect you. The ICO website has very helpful guidance including material aimed at teachers;
  • set up a working group with a mandate to develop policies and procedures and implement practical changes in data protection compliance;
  • commit to training programmes of all staff, reinforcing the importance of observing good data protection practice. The ICO encourages privacy and information security training of pupils as heavy users of the internet and social media;
  • review privacy policies and procedures, contracts with external processors and records of complaints and subject access requests. They might all require overhaul before mid-2018;
  • ensure that you can demonstrate that you have effective consent (or other justification) for all data processing. In the case of pupils, this must extend to parental/guardian consent in all cases;
  • consider all technical means of ensuring data security. Are they adequate and cost-effective in proportion to the risks to data subjects and to the school if privacy is breached?

We are able to advise you further on all aspects of present and future data protection legislation.

For further advice, please call us on 01483 543210 or alternatively email

By Laurie Heizler