GDPR and schools: what you need to know

A lot has been written about GDPR and its impact on the world of business but GDPR also applies in the public sector, including in the world of education. The average school (whether public or private) operates rather differently to the average business and so may need to approach compliance rather differently.

The bad news is that you can’t wait until the children are on summer holiday to implement the requirements of GDPR along with other administrative tasks. The good news is that you may well find that your existing systems are already GDPR compliant or very close to it.

Now is the time to make sure all relevant people are fully aware of what GDPR is and what it means for you, while you still have a reasonable amount of time on your side.

This audit needs to cover three main areas:

• The points at which you currently collect data from data subjects;
• The software you use to collect the data; and
• The data you currently hold both in physical and digital form (i.e. what it is and where it is).

As previously mentioned, schools have obvious, clear and legitimate reasons for requesting personal data about people, including, self-evidently, children. However, it is important to double-check that every data item you collect is necessary, appropriate and proportionate and that your collection and storage systems and processes are both GDPR compliant.

Putting your school privacy policy on your website makes it easy for parents to access and this may field off a few enquiries. Subject access requests could also be channelled through your website, at least in the first instance, where you could inform parents of the process and what they can expect.

Speaking of parents now is a good time to double-check your parental consent forms. Not only do you need to ensure that they are GDPR compliant in themselves but you must look at how they are being stored and whether that the form of storage meets GDPR standards.

The need to appoint a designated DPO may be the thorniest GDPR-related issue schools need to tackle.

DPOs must be sufficiently qualified to perform their role effectively, though this does not mean that they necessarily need to have formal qualifications, (although there are relevant training schemes such as the General Data Protection Regulation (GDPR): Essentials course, or the Certified EU General Data Protection Regulation (GDPR) Practitioner course). Instead, it just means that they need to know their way around GDPR and they also need to be able to work impartially.

Both of these requirements point to hiring external resources, but this may be a financial challenge for some schools. Private schools may be able to increase their fees to reflect this extra financial burden and multi-academy trusts may be able to have a trustee perform the role, but other local authority schools, particularly smaller ones, may have to look for alternative solutions and may need to turn to their local authority for guidance and support.