Registered office: 1 Saltmore Farm | New Inn Rd | Hinxworth | Baldock | SG7 5EZ  |  Telephone: 0800 0862018  |  Email:

As part of the current Data Protection Act, you will already have clear policies and procedures for collecting and handling data in your school. All of this will help you to prepare for the more stringent GDPR.

This checklist has been adapted from the Information Commissioner’s Office (ICO) guidance so that it relates to your school context.

  1. Awareness
    Ensure your senior team, governing body and other key people are aware that the law is changing to the GDPR. They need to be aware of the impact this is likely to have on the school and how they work. Tip: include GDPR as a fixed item on meeting agendas for governors and the senior team.
  2. Information you hold
    Document the personal data you hold, where it came from and who you share it with. Carry out a whole-school information audit and include pupil, parent and staff information. This includes non-electronic information such as print-outs as well as information held on memory sticks and other devices. If data is held electronically, is it password protected and encrypted? If it is held on paper, is it held securely and appropriately?
  3. Communicating privacy information
    Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
  4. Individuals’ rights
    Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
  5. Subject access requests
    Update your procedures and plan how you will handle requests within the new timescales and provide any additional information. Rehearse a subject access request to ensure you are able to produce one within the required 40 days.
  6. Legal basis for processing personal data
    Look at the various types of data processing you carry out, identify and document your legal basis for carrying it out. This will include speaking to colleagues across the school.
  7. Consent
    Review how you are seeking, obtaining and recording consent and whether you need to make any changes.
  8. Children
    The GDPR states that consent must be obtained from parents of pupils under the age of 13, over this, the child can give their own consent. Consider how and if this will work in your school.
  1. Data breaches
    Ensure you understand what a data breach is and that you have the right procedures in place to detect, report and investigate one. Do other people know what to do?
  1. Data protection by design and data protection impact assessments
    Familiarise yourself with the guidance the ICO has produced on Privacy Impact Assessments and how and when to implement them in your school.
  1. Data Protection Officer (DPO)
    Designate a data protection officer or someone to take responsibility for compliance and assess where this role will sit within your school’s structure and governance. The DPO must be impartial and can be someone from outside of the school.
  1. International
    If your school operates internationally, you should determine which data protection supervisory authority you come under.

How we can help
At Data Protection Education, we can support your school and staff to understand their responsibilities and ensure you comply with the new regulations. We offer three levels of training and support and our gold package includes the provision of a data protection officer. Read more about the packages here or call us to talk about which package is most suitable to your school.