New data laws come into force next May; Theresa Kerr explains how to comply

A lot of schools are aware that the law on data protection is changing but are not sure what it will mean for them in practice. A school business manager recently asked even asked me if he should be losing sleep over it. My answer? Not really.

The General Data Protection Regulation (GDPR) is the new law that will apply to all organisations, including schools, from 25 May, 2018. It will replace the Data Protection Act 1998 (DPA 1998) which governs the way organisations process personal data about people (students, employees etc), and the legal rights that individuals have in relation to that data.

There are proactive steps that schools will need to take in order to ensure their policies and procedures are up to date and compliant for when the GDPR comes in next year. One of the biggest challenges will be finding the time to make these preparations. But first, let’s bust a myth about fines.

It’s true that the fines that can be issued by the Information Commissioner’s Office (ICO) will be increased to an eye-watering four per cent of worldwide turnover or £17 million – but don’t let this throw you.

Elizabeth Denham, the current information commissioner, who has regulatory oversight over data protection, has written in her blog that “it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm”. Obviously there is a risk of incurring a fine for serious breaches, but the ICO has stated that these powers will be used “proportionately”. This should provide schools with some reassurance.

So, what will change?

Timescales and fees

There will be changes to some of the processes that many schools are already familiar with under the DPA 1998. For example, the timescales for responding to a written request from an individual for a copy of their personal data, a “subject access request”, will reduce from 40 calendar days to one month.

In addition, the £10 fee which schools can currently charge before they respond to a subject access request is being scrapped. There are also new rules about the timescales for reporting certain data security breaches, depending on the seriousness of the breach.


Another change relates to consent. Does this mean that schools will need to obtain consent before they can process any personal data? The simple answer is no. It’s likely that schools will be able to rely one or more of the five other lawful bases for processing a lot of the personal data they hold in order to run a school, for example where it’s necessary for compliance with a legal obligation.

One of the biggest challenges will be finding the time to make these preparations

If none of the five other bases apply to a processing activity, then it is likely that you will need to obtain consent, which must be explicit, affirmative, fully informed and freely given. An example of where the issue of consent is likely to be relevant for schools is if you want to use the personal data you hold for marketing purposes.


Transparency is also a key theme of the GDPR. Schools will need to be clearer with their stakeholders about the personal data they hold. Privacy notices will be an important tool for communicating this information and should be updated to ensure they clearly demonstrate that personal data is used by the school fairly and transparently. The ICO has produced a code of practice which includes more detail about privacy notices.


There are a number of ways that you can satisfy the act’s accountability requirement including, for example, providing training to staff, carrying out data audits and keeping records of data-processing activities. Compliance will need to be integrated into a school’s daily operations and policies and become part of the culture in the same way that safeguarding has for many schools.

A data protection officer must be appointed, and they are required to report to the board, which shows that compliance with the GDPR is expected to be a feature of good governance.

In summary, while the GDPR will inevitably have an impact on schools, staff and governors/trustees shouldn’t have to lose sleep over this change to the law if they take appropriate steps to prepare for it.

Winckworth Sherwood is hosting free seminars for schools on the GDPR. Email to register your interest.