Registered office: 1 Saltmore Farm | New Inn Rd | Hinxworth | Baldock | SG7 5EZ  |  Telephone: 0800 0862018  |  Email:

I recently started to watch a GDPR webinar and, after presenter introductions, the webinar focussed on the ICO’s enhanced fining powers. Whilst their powers have been enhanced, this kind of scare mongering is why the ICO’s new blog series focusses on the misconceptions surrounding the GDPR.

Here's five (of many) misconceptions that apply to schools. We dispell these and others in our awareness sessions and other training. Visit here to read about them

1. Organisations that do not comply with the GDPR face massive fines.
This law is not about fines but about putting the individual first. Whilst the ICO will have the power to impose higher fines than the data protection act limit, fines are only issued as a last resort and don’t fund the workings of the ICO.

“It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm. The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.” Elizabeth Denham, The Information Commissioner.

2. Schools can relax as they have a two-year grace period

Steve Wood, Head of International Strategy & Intelligence at The ICO explains, “You will not hear talk of grace periods from people at the ICO. That's not part of our regulatory strategy. What you will see is a common-sense, pragmatic approach to regulatory principals”

3. All schools must have a data protection officer
The term ‘large-scale’ has not been defined by the ICO so it is unclear whether independent schools need a DPO. As for maintained schools, it is unclear if the DPO role will be their responsibility or that of their local authority. For both types of schools however, as well as for academies, appointing a DPO demonstrates that you value data protection to your pupils, staff and parents. We addressed this in another blog.

4. A subject access request must be completed within 31 days
The GDPR states that a subject access request must be responded to within one month, but does not define what one month is. Is it a 28 or 31-day month? In time, this will be defined but your school should plan to respond to a request more quickly than 28 days. If you put plans in place to respond within 21 days, this gives you a cushion for staff absence or other circumstances. Remembering that school holidays and weekends are included in the timescale and it is not only working days.

5. The GDPR doesn't apply to personal information that isn’t electronic
The GDPR is about personal information that identifies living individuals and not the format of that personal information. This includes personal information held in places such as mark books, on classroom and staffroom walls or on print outs. Consider the consequences of losing this information, or it being accessed by unauthorised people, before you write it down or print it out and if there is a way of anonymising it.