Registered office: 1 Saltmore Farm | New Inn Rd | Hinxworth | Baldock | SG7 5EZ  |  Telephone: 0800 0862018  |  Email:

Just in time, the Data Protection Act 2018 received royal assent on 23rd May 2018.

For a copy of the Act, click here.

In our next blog post, we'll be analysing the Act and reviewing any last minute surprises that might affect schools.

Data Protection Walk Document

Our data protection walk is designed to take you on a journey around school to spot any data protection and handling concerns or areas that need tightening up for GDPR. Consider what is being shared, why it is being shared and if the person whose data it is - the data subject, is aware that it is being shared in this way or if they are being put at risk.

We start with reception and ask you to look at what personal information is available, both intentionally and unintentionally and whether it needs better protecting or if privacy notices need updating. We then go into the staffroom and consider who has access to the staffroom - is it locked, if recyling bins are open and how personal data is shared and secured. Other areas we consider include if offices are left open when no-one is in them, what information is available near offices and what is displayed in corridors and available in open classrooms.

The document asks you various questions and can be written on or typed directly into.

Open the file here

Why an audit?

With GDPR coming into force in May 2018, you may only just be starting to consider what is needed and how you can meet the new expectations. This is where we can help and completely remove the worry, ensuring you comply to the new regulations.
What's involved?

Our consultancy provides a detailed review of your readiness for GDPR and an action plan of what to do to ensure compliance. Whilst the audit takes several days, we need only one day in school with you and your staff.

We start with an initial telephone call to plan out the day spent with you - what information is needed and who will need to be available. This is likely to be those with operational focus,  a mixture of governance staff - the Head, the IT Manager, Business Manager, possibly Chair of Governors and other members of the senior staff with an operational focus.   

The day will be spent gathering information and also explaining why it's needed for GDPR compliance. It includes:

  • An analysis of your school's processes and procedures relating to data management, governance and risk management 
  • A full review of the information management systems in place including a high-level data inventory, to log where and how personal data is stored 
  • A review of how well you are meeting the GDPR Data Principles:
    • Transparency
    • Collection and purpose of processing
    • Consent
    • Quality and completeness
    • Data retention
  • A review if any international data transfers apply to your school
  • How ready you are to respond to a data breach
  • Your understanding of the Rights of Data Subjects, and your ability to respond to a subject access request
  • A review of awareness training and organisation-wide data protection by design
  • Roles and responsibilities, including your school's requirement for a Data Protection Officer
  • Your organisation's ability to manage a large-scale compliance project


Our data analysis covers over 100 topics and questions about your privacy and information security framework.
Your confidential report provides a breakdown of the data analysis - showing strengths and weaknesses within the school as well as a recommended action plan to address requirements for GDPR compliance.

During the International Association of Privacy Professional's Knowledge Net event in London on 17th October, Elizabeth Denham, the Information Commissioner was asked a question that is as appropriate to schools as it is to businesses.

Question: "What advice would you give businesses if, having tried their very best by the 25th May 2018, they are not completely compliant by this point?"

Answer: “So the law takes effect on 25th May 2018 and we will receive complaints, and there will be breaches and we will need to look at organisations. And what I’ve said to organisations is what I will be looking for is evidence of your commitment and your programme to build the compliance.

It’s not necessarily going to be perfect on the first day, but then again we have had the text for two years so it’s not a surprise about what obligations are contained in the law. The other thing is, if there is a serious contravention of the law, we’ll just look at whether or not you have done what you needed to do to prevent that breach or that contravention from happening.

So I can’t say I’m giving a grace period at all. There isn’t a grace period. But again, we are a proportionate, reasonable, risk-based regulator and there is no reason why we are suddenly going to change into a different kind of regulator because we have new tools in our regulatory toolbox.

And remember, it’s not just about fines. There are other tools that I think are really important to getting this right and developing good practice around data and what to do.”

Elizabeth Denham, Information Commissioner

So what does that mean? It means take reasonable measures to prepare and assess your risks. And where there are risks to the rights of data subjects in the way you handle data, do something about it. But excuses such as ignorance, or not doing anything because of size and budgets won't help you if something goes wrong.


We offer face-to-face events for the leadership team and e-learning awareness training for all staff. We also offer a compliance software platform called to support your data mapping and document your compliance. This comes as part of the implementation programme or can be purchased separately.

Face-to-Face Training

Awareness Sessions

Step one in our programme is to attend a two-hour awareness session designed to introduce school leaders to the key points of GDPR and how they impact your school or trust. We advertise these sessions on our website and are looking for schools to host events, please This email address is being protected from spambots. You need JavaScript enabled to view it. if this is something you would like to find out more about, These sessions are only £50 per school for up to two delegates. See which sessions are available now and book your places:


GDPR Implementation Programme

Over six half-day sessions, we will guide you through the below topics. The cost for the whole programme is £800 for a primary school and £1,000 for a secondary school and for one delegate at each session. The programme includes a 12 month license to and five accounts for the e-learning staff training.

Areas Covered

Our implementation programme breaks each of the steps into six specific half-day workshops providing guidance, documentation and support. We also include twelve-month access to.

The programme is structured to help you move through the GDPR requirements for your school in a structured way to be ready by May 2018. 

Step 1: Governance, planning and preparation for compliance
Step 2: Data inventory and data mapping
Step 3: Undertaking compliance actions
Step 4: Identifying and managing risk 
Step 5: Organising processes and procedures 
Step 6: Training and documentation


Full Day Intensive GDPR Training

This day condenses the six sessions from the implementation programme into one full day. The price is £195 per delegate or £390 for primary schools and £590 for secondary schools to include

Whole Staff Training

E-Learning Training

The e-learning uses real-school scenarios and is a cost-effective and easy way to train all staff in data protection. Staff work through the modules individually and central reports identify who still needs training and provide evidence for governors and inspectors. The training ensures your staff understand how to better protect personal data. There is a trial module here for you to work through. The training is priced based on school size starting at £199. Compliance Platform

The platform will take your school through GDPR compliance from data mapping to recording data breaches. Find out more at

This email address is being protected from spambots. You need JavaScript enabled to view it. if you would like to discuss any of the above further or are interested in hosting events or know of a suitable venue near you.