The Optimus blog

The blog that inspires leaders in the UK education sector

The Optimus blog

The blog that inspires leaders in the UK education sector

Caroline Collins

GDPR: how schools can prepare

Time is ticking, and in just a few months all organisations need to ensure they comply with the General Data Protection Regulations (GDPR). What should you be doing to make sure your school is ready? 

In the first of three blog posts, I’m going to look at how your school can prepare. I first heard about the GDPR at the start of 2017 and I thought then that it would only be a matter of time before my inbox was inundated with offers to train me, provide me with documents and so on, most of which would be at a rather high price. These started hitting my inbox in the autumn term by which time I’d made good progress on GDPR preparation. 

I’ve spoken to other schools who tell me that they’ve not started any work on preparation yet and they seem to think that somebody is going to produce something that will solve all the problems of the GDPR. Others have a laid-back approach because they ’already comply with data protection’. I hate to be the bearer of bad news, but I feel a reality check might well be needed.

GDPR compliance is not a simple checklist; it impacts on lots of other school policies and procedures. It’s great that you comply with data protection (I would expect all organisations who collect data to be compliant), but it doesn’t necessarily mean you comply with the GDPR.


There are a lot of similarities between the GDPR and the DPA but there are also a lot of new requirements. Here are key differences between them.

  • Penalties: fines under the GDPR are much higher, with non-compliance fines being up to €20m.
  • DPO: some organisations (including schools) will be required to appoint a data protection officer.
  • Data breaches: a new requirement under the GDPR is the reporting of a data breach within 72 hours.
  • Right to erasure: individuals will have the right to erasure whereby all data held on that individual will be erased.
  • Protection impact assessments: these will be mandatory where there is a high risk to the freedoms of the individual.

The GDPR is designed, rightly, to protect individuals and that’s important to all of us – I can’t imagine how I’d feel if I knew that an organisation had breached my own privacy by failing to protect my data. To protect individuals, organisations will need to be much more stringent and be able to evidence how they are complying with the new legislation.

Getting prep​ared now

Schools have four months to get everything ready so that they are compliant from 25 May 2018. You need to be looking at:

  • carrying out an information audit
  • creating a records retention schedule
  • appointing a data protection officer
  • training staff
  • reviewing school policies
  • reviewing privacy notices.

I’ve decided to create one audit and compliance working document which incorporates a questionnaire for preparation and compliance. I can add documents to this as evidence of compliance and it allows me to see clearly where things are missing. Once I’d completed the questionnaire, I created an action plan to sit within the same document. The working document also has a checklist, a reference guide and the records retention schedule.

I​nformation audit

Don’t underestimate the enormity of this task. Theoretically it’s a great exercise to undertake but it’s time consuming and needs input from others. You need to think about how you’re going to record the information, what’s going to be included in the audit and who you’re going to get that information from. 

Recording the information is down to preference. I’m an Excel geek so that was my preference – others might want to use Word or another electronic system. There are already companies out there offering to sell schools templates for audits but I don’t think we need to invest money unnecessarily.  

Designing a template was the easy part. Now I had to think about the actual data held in school and as thoughts popped into my head randomly from time to time I opted to do a mind map. Once I captured everything I thought we had I passed it around the school to other staff members so that they could add to it.

It took some time, and although I’m pretty certain I now have everything, I intend to pass it around once more before the GDPR comes in to. If you’re starting an information audit, my advice would be:

  • decide on your preference for the working document
  • involve the senior leadership team, don’t do it all yourself
  • use a mind map or something similar.

Remember, the information audit is not just about noting what data you hold but needs to include reasons for holding it, who it’s distributed to, why and much more. My current working document has the following headings.

  • Purpose for collecting the data
  • Category of person whose data is collected
  • Types of personal data collected
  • Source of personal data
  • Was consent obtained
  • Was there a Privacy Impact Assessment
  • Legal basis for collecting the data
  • Will the data be regularly updated
  • When is the data obtained
  • To whom might it be disclosed
  • Why might it be disclosed
  • How long is it retained for
  • Why was that retention period chosen
  • Manual document storage and security
  • Electronic document storage and security
  • In-house managed system security
  • Remote working security
  • External hosted service security
  • Cloud-based hosting security

It’s a long list and may well change between now and 25 May. Don’t forget to share this with your leadership team and speak to others who have access to data such as the school nurse, therapist etc.

Records retention schedule

Before you start trying to do this yourself, save yourself some time and download the Information Management Toolkit for Schools published by the IRMS. This document tells you everything you need to know about record retention and disposal. It certainly made my life easier.  

It has several tables that outline the document title, any data protection issues, statutory provisions, retention period and action at the end of the record life. The guidance made transposing the information into my compliance document a simple job.


My advice to anyone starting out is not to get bogged down with too much paperwork. Create one simple management document that contains everything you need. Over-complicating with too much paper will only get you down and achieve little.

In my next blog post, I’m going to look at the rest of the preparation that needs to be done, and update you on where we have got to. As I write, I’m awaiting a job description for a DPO so that we can appoint internally.

GDPR for Schools

Our GDPR for Schools conference will be providing more information and guidance on the new ePR, as well as an update from the ICO.

Taking place in London on 27 November and Manchester on 24 January 2019, you can secure your place now.

More from Optimus

GDPR: your questions answered

Webinar: GDPR – the role of the data protection officer

GDPR: how to undertake a data audit

Similar Posts

Lisa Griffin

Five ways to make your MAT more sustainable

Looking for ways to go greener in your multi-academy trust? Use these ideas to inspire you to creating a more sustainable and environmentally friendly trust. More and more schools are adopting environmental sustainability as a core value and raising awareness of it among staff, pupils, and parents...
Elizabeth Holmes

Eight ways to simplicity – small steps towards clarity

Discover the transformative power of simplicity in education. Elizabeth Holmes explores practical steps to declutter and focus on fostering wellbeing and renewed purpose as an educator. I remember sitting in a colleague’s office several years ago waiting for a meeting to start and watching while he...
Sheza Afzal

Three common mistakes schools face in their EDI work

Inclusive environments in schools require a shared responsibility to promote EDI. Sheza Afzal outlines three mistakes and offers suggestions for addressing them. Schools strive to create inclusive environments through their efforts to promote equality, diversity, and inclusion (EDI). However, this...