General Data Protection (GDPR) for schools – 12 months on…

Published by Phil Reynolds on 28 May 2019

Share this article

I recently attended the Schools and Academies Show in London and sat in one of the sessions presented by the Information Commissioner’s Office (ICO) who provided an update on how the last 12 months have been for schools since GDPR came into force.

Below are some of the key points that schools should be considering one year on.

  1. Data Protection Office (DPO) roles need to be carefully considered when operating as a Multi-Academy Trust (MAT). Is the DPO role over-stretched? Are they responsible for too many schools?
  2. The DPO role should not be a conflict of interest. For example, the DPO should not be the IT manager who is also in charge of system procurement
  3. Record keeping and documentation of key decisions made needs to improve
  4. Key staff should receive regular or refresher training aimed at the right level

The ICO has received approximately 6-700 complaints regarding schools since GDPR came into force. Most complaints centre around Subject Access Requests (SAR), inappropriate disclosures of data, security and transparency.

The ICO also flagged that cyber attacks are increasing, especially as a result of phishing emails. Therefore they encouraged schools to consider training staff to make them more aware of phishing emails to avoid issues arising. Our recent article on cybercrime also stressed this.

One member of the audience also raised the issue were a SAR is received but cannot be fully complied with due to summer holidays and staff being unavailable. The ICO confirmed that there is no exemption available in these instances and therefore the request must be dealt with. However, the following tips were provided:

  • Ensure procedures are in place to deal with this type of incident (the ICO will need to see this)
  • Document the issues arising and decisions made
  • Manage the expectations of the person making the request and explain there might be a delay with some of the information
  • Do the best you can

GDPR is now here and here to stay, so schools should look to continuously review and monitor their systems, performance and reporting.

Join over 8000 businesses and individuals who receive our complimentary e-bulletins by signing up here.

Share this article


Email Phil

    • yes I have read the privacy notice and am happy for Kreston Reeves to use my information

    View teamSubscribe

    Close Expand

    Subscribe to our newsletters

    Our complimentary newsletters and event invitations are designed to provide you with regular updates, insight and guidance.

      • Business, finance and tax issuesPersonal finance, tax, legal and wealth management issuesInternational business issuesCharity and not-for-profit issues
      • Academies and educationAgricultureFinancial servicesLife sciencesManufacturingProfessional practicesProperty and constructionTechnology
      • yes I agree I have read and accept the privacy policy and am happy for Kreston Reeves email communications I have selected above

      You can unsubscribe from our email communications at any time by emailing or by clicking the 'unsubscribe' link found on all our email newsletters and event invitations.