Registered office: 1 Saltmore Farm | New Inn Rd | Hinxworth | Baldock | SG7 5EZ  |  Telephone: 0800 0862018  |  Email:

Data Protection Walk Document

Our data protection walk is designed to take you on a journey around school to spot any data protection and handling concerns or areas that need tightening up for GDPR. Consider what is being shared, why it is being shared and if the person whose data it is - the data subject, is aware that it is being shared in this way or if they are being put at risk.

We start with reception and ask you to look at what personal information is available, both intentionally and unintentionally and whether it needs better protecting or if privacy notices need updating. We then go into the staffroom and consider who has access to the staffroom - is it locked, if recyling bins are open and how personal data is shared and secured. Other areas we consider include if offices are left open when no-one is in them, what information is available near offices and what is displayed in corridors and available in open classrooms.

The document asks you various questions and can be written on or typed directly into.

Open the file here

We offer face-to-face events for the leadership team and e-learning awareness training for all staff. We also offer a compliance software platform called to support your data mapping and document your compliance. This comes as part of the implementation programme or can be purchased separately.

Face-to-Face Training

Awareness Sessions

Step one in our programme is to attend a two-hour awareness session designed to introduce school leaders to the key points of GDPR and how they impact your school or trust. We advertise these sessions on our website and are looking for schools to host events, please This email address is being protected from spambots. You need JavaScript enabled to view it. if this is something you would like to find out more about, These sessions are only £50 per school for up to two delegates. See which sessions are available now and book your places:


GDPR Implementation Programme

Over six half-day sessions, we will guide you through the below topics. The cost for the whole programme is £800 for a primary school and £1,000 for a secondary school and for one delegate at each session. The programme includes a 12 month license to and five accounts for the e-learning staff training.

Areas Covered

Our implementation programme breaks each of the steps into six specific half-day workshops providing guidance, documentation and support. We also include twelve-month access to.

The programme is structured to help you move through the GDPR requirements for your school in a structured way to be ready by May 2018. 

Step 1: Governance, planning and preparation for compliance
Step 2: Data inventory and data mapping
Step 3: Undertaking compliance actions
Step 4: Identifying and managing risk 
Step 5: Organising processes and procedures 
Step 6: Training and documentation


Full Day Intensive GDPR Training

This day condenses the six sessions from the implementation programme into one full day. The price is £195 per delegate or £390 for primary schools and £590 for secondary schools to include

Whole Staff Training

E-Learning Training

The e-learning uses real-school scenarios and is a cost-effective and easy way to train all staff in data protection. Staff work through the modules individually and central reports identify who still needs training and provide evidence for governors and inspectors. The training ensures your staff understand how to better protect personal data. There is a trial module here for you to work through. The training is priced based on school size starting at £199. Compliance Platform

The platform will take your school through GDPR compliance from data mapping to recording data breaches. Find out more at

This email address is being protected from spambots. You need JavaScript enabled to view it. if you would like to discuss any of the above further or are interested in hosting events or know of a suitable venue near you.


I recently started to watch a GDPR webinar and, after presenter introductions, the webinar focussed on the ICO’s enhanced fining powers. Whilst their powers have been enhanced, this kind of scare mongering is why the ICO’s new blog series focusses on the misconceptions surrounding the GDPR.

Here's five (of many) misconceptions that apply to schools. We dispell these and others in our awareness sessions and other training. Visit here to read about them

1. Organisations that do not comply with the GDPR face massive fines.
This law is not about fines but about putting the individual first. Whilst the ICO will have the power to impose higher fines than the data protection act limit, fines are only issued as a last resort and don’t fund the workings of the ICO.

“It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm. The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.” Elizabeth Denham, The Information Commissioner.

2. Schools can relax as they have a two-year grace period

Steve Wood, Head of International Strategy & Intelligence at The ICO explains, “You will not hear talk of grace periods from people at the ICO. That's not part of our regulatory strategy. What you will see is a common-sense, pragmatic approach to regulatory principals”

3. All schools must have a data protection officer
The term ‘large-scale’ has not been defined by the ICO so it is unclear whether independent schools need a DPO. As for maintained schools, it is unclear if the DPO role will be their responsibility or that of their local authority. For both types of schools however, as well as for academies, appointing a DPO demonstrates that you value data protection to your pupils, staff and parents. We addressed this in another blog.

4. A subject access request must be completed within 31 days
The GDPR states that a subject access request must be responded to within one month, but does not define what one month is. Is it a 28 or 31-day month? In time, this will be defined but your school should plan to respond to a request more quickly than 28 days. If you put plans in place to respond within 21 days, this gives you a cushion for staff absence or other circumstances. Remembering that school holidays and weekends are included in the timescale and it is not only working days.

5. The GDPR doesn't apply to personal information that isn’t electronic
The GDPR is about personal information that identifies living individuals and not the format of that personal information. This includes personal information held in places such as mark books, on classroom and staffroom walls or on print outs. Consider the consequences of losing this information, or it being accessed by unauthorised people, before you write it down or print it out and if there is a way of anonymising it.

Data Protection Officer Service Level Agreements are now available. Click here for more information


In this article, we explore the role of the data protection officer (DPO), whether your school needs one and who this should be.

Updated 12th January 2018 (and again 14 February)
This week, the following was proposed concerning DPOs and maintained schools as part of a reading of the Data Protection Bill.

87A Insert the following new Clause “Where a school maintained by a local authority is unable to designate a data protection officer, the relevant LA must designate a DPO for that school or any group of schools maintained by that LA”

The full document can be read here:

At this stage, this is only a possibility (it didn't make it out of committee and into the final reading in the House of Lords, but may be re-proposed in the Commons - watch this space)and the terms 'unable' and 'designate' are not explained.

So we recommend that if you are a maintained school, speak to your local authority about any services they may be offering as a managed service.


Under the GDPR, do schools need a data protection officer?
The GDPR outlines three circumstances when an organisation must appoint a DPO. If you:

  1. are a public authority (except for courts acting in their judicial capacity);
  2. carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
  3. carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

As a public authority, circumstance 1 applies to maintained schools and academies, meaning that you do need a data protection officer.

What about independent schools?
The terms ‘large scale’ have not been defined by the Information Commissioner’s Office (ICO), so it cannot be assumed that independent schools fall into circumstance 2. Because of the nature of the data that all schools collect and process and that your data subjects are children, it would be wise however, for independent schools to appoint a data protection officer. Indeed, appointing a DPO demonstrates that you take the data protection of your pupils seriously.

How can schools afford a data protection officer?
A data protection officer can be employed fully by you, shared across schools or you can engage in a DPO service from an external provider. Each has its merits and should be reviewed as to which is the most suitable for your school, in terms of the appropriateness for the size of your school and the types of personal data you collect and process, as well as affordability and value for money. Talk to local schools to see if there is an opportunity to share one across the group. If you are part of a trust, speak to your central office about their plans.

What does a DPO do?
The DPO takes an advisory and monitoring role and should guide your school to be GDPR compliant. It is your school’s responsibility to follow this guidance. If you choose not to, the DPO is not responsible if anything goes wrong.

The DPO’s minimum tasks are defined in Article 39:

  • To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
  • To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
  • To be the first point of contact for supervisory authorities (the ICO) and for individuals whose data is processed (employees, customers etc).

What does the GDPR say about your duties when employing a DPO?
As a school or trust, you must ensure that.

  • The DPO reports to the highest management level of your school, i.e. the governing body or the trust board.
  • The DPO operates independently and is not dismissed or penalised for performing their task.
  • Adequate resources are provided to the enable DPO to meet their GDPR obligations.

Can we allocate the role of DPO to a member of staff?
Yes, but only if their professional duties are compatible with those of the DPO and do not lead to a conflict of interests. This means that they must be in an impartial role, report directly to the governing body and have no conflict of interest in their other duties. It is difficult to think of a role in school where there wouldn’t be a conflict of interest.

Anyone who makes decisions about which systems your school uses or how they are used, has line management responsibilities or decides what personal data is collected or processed, is not a suitable data protection officer. Remembering that this person cannot be sacked for performing their DPO role.

Can a governor be the data protection officer?
If the governor has no other responsibilities, then yes. For many schools, a governor with the right skills and authority, as well as time, would be suitable.

Does the data protection officer need specific qualifications?
Whilst the GDPR does not specify precise credentials, it does require that they should have professional experience and knowledge of data protection law. This should be proportionate to the type of processing your school carries out, taking into consideration the level of protection the personal data requires.

How we can help
Data Protection Education offers a data protection on demand service, contact us to discuss your school's context and how we can support you on This email address is being protected from spambots. You need JavaScript enabled to view it.  

Further reading
Accountability and Governance, an overview from the ICO:


In this series of articles, we will outline practical steps to compliance, In this one, we introduce data audits.

The GDPR is the General Data Protection Regulation which is a new data protection law coming into force across the EU on May 25th 2018. The government has confirmed that leaving the EU will not affect the commencement of the GDPR. The law is changing to align with the ways we all share and process data in today’s digital world. It is an opportunity for your school to review and update the data it collects and how it is managed and secured as well as train your pupils and staff to be more careful with their data and that of others.

The most important point for your school is that you must be fully compliant on May 25th and not working towards compliance.

Auditing your data
There is much you can do to prepare for the new regulations and one of the first steps is to audit the data you hold in a spreadsheet.

What data are we collecting and processing?
List what personal data you hold across the school, where and how securely it is held, how it is collected or processed and who it is shared with. Identify which data you collect yourselves and which you receive from elsewhere, such as via the CTF or from other agencies. Adding a column about how better it can be secured is also helpful.

Ask staff what software and websites they use that gather personal data to map a complete picture across school.

Why are we collecting it?
To meet the GDPR, you must have a lawful basis for collecting and holding personal data and there are strict categories for this. From step one, identify a lawful reason for collecting or processing it, from the list below. Without a lawful basis, you should not be collecting or holding it.

  1. Consent
    The data subject has given their explicit consent for you to process their data. For children under the age of 16, this consent must be given by their parents. Consent may also be withdrawn.
  2. Contractual
    Such as employment contracts for staff.
  3. Legal obligation
    Such as collecting attendance data for the DfE.
  4. Protecting vital interests
    Such as disclosing medical information to health professionals or information for references.
  5. Public interest
    This applies to data collected for statutory purposes.
  6. Legitimate interest
    Such as for marketing purposes, not relevant for most schools.

Special category data
Data about race and ethnic origin, genetics, health and biometrics (including finger printing), beliefs such as religion, political opinions and trade union membership and sex life or sexual orientation is classed as sensitive data. The rules for this information are stricter than for other personal data. The Information Commissioner’s Office outlines these here. If your school using finger printing for school lunches or attendance, you should already have sought parental permission for doing so.

What’s the risk?
It is important to understand the risk to the individual and the school if any of the data you hold is lost or accessed by those without permission, known as a data breach. RAG rating each type of data will help you to prioritise staff training and data security. For example, losing the child protection register is potentially much more devastating compared to an attendance register.