Blog, news & updates

How does the GDPR Affect Schools?

How Will GDPR Affect Schools?

It is a legal requirement for any organisation that handles personal information to abide by the General Data Protection Regulations. It is a company’s duty to ensure that the data is stored securely, which means some procedures should be in place to ensure the data’s protection. The regulations also apply to schools and other educational facilities. 

GDPR for Schools and Educational Facilities

GDPR seemed to cause mass panic amongst organisations back in 2018 when it came into force, but compared to many private organisations, schools are much better placed to address the General Data Protection Regulations. In 2016 alone, there were 2,168 data breaches reported to the ICO (Information Commissioner’s Office), and only 166 were in the educational sector. With the GDPR making reporting compulsory and with increasing responsibilities, this figure looks set to significantly rise if schools fail to comply with the GDPR.

Schools have been given masses of information that they need to make sure is kept securely and confidentially. They collect details of pupils, such as their age, gender, medical records, and home address. But it’s not just the leaking of details that can land the data controller in trouble; opinions of the person must be kept locked-up.

It can be an incredibly difficult job to make sure that no data is leaked, especially when third-party persons (i.e. exam boards) need access to some of the private information. Although, the regulations are stated clearly and information is available to help towards the school's compliance towards them. It is the school's responsibility to ensure 3rd party suppliers that process data for you also comply with GDPR.

Schools have always had to give parents and children access to their data, under the Data Protection Act 1998, but under GDPR, individuals have the right to ask for that data to be forgotten. This regulation only applies to certain data that you store but needs to be kept in mind.

Key Regulation Changes

  • Even if your business is not in the EU, you must abide by the regulations if you do business in the EU with EU data subjects.
  • Parental consent is required for the processing of personal data for children under the age of 16-years-old.
  • Data privacy now encompasses different factors when it comes to identifying individuals, including their mental, economic, genetic, cultural or social identity.
  • The documents of consent must be laid out very simply when it comes to the way information is collected.
  • Article 35 of the GDPR says that Data Protection Officers (DPOs) must be appointed for all public authorities. In addition, a DPO will be required where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”. Although, companies without the core focus of data collection will be exempt from the obligation. The DPO position can be appointed to anyone with an expert knowledge of data protection laws and practices.
  • When processing high-risk data activities, data controllers are required to conduct a privacy impact assessment to analyse and minimise the risks that is introduced to their data subjects.
  • The organisations data controllers must report data breaches within 72 hours to their data protection authority, unless it is unlikely to pose a risk to the data subject.
  • Data subjects have the right to be forgotten.
  • Data processors have a legal obligation and responsibility, which means that they can be held liable for data breaches from the organisation. Contractual arrangements will need to be updated, and stipulating responsibilities and liabilities between the controller and processor will be an imperative requirement in future agreements. Parties have to record and document their data responsibilities more clearly than before, and the increased risk levels may impact service costs.
  • Data portability allows a subject to request a copy of personal data in a format usable by them and electronically transmissible to another processing system.

Electronic padlock to represent GDPR Training


Technically speaking, if you have any level of responsibility over the protection of data, that doesn’t belong to yourself or a relative, you are considered a data processor. Data processors are contractually obliged to implement the appropriate security measures to ensure that data stays secure.

The official EU GDPR website states “Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement”. 

General Data Protection Regulation Training

Here at iHASCO, we've developed an online GDPR Training course to help towards your compliance with the regulations! Why risk the chance of receiving a penalty? Try the course for free today!

GDPR Training Courses