Website Cookie Policy

We use cookies to give you the best possible online experience. If you continue, we’ll assume you are happy for your web browser to receive all cookies from our website.
See our cookie policy for more information.

Practice Areas

More Information

Leeds: 0113 244 6100

Sheffield: 0114 267 5588


Send us an enquiry

GDPR in schools – ensuring best practice

24 February 2020

It's been almost two years since the GDPR came into force. We look at its impact and the ways schools can develop best practice in data protection.

When it came into force in May 2018, the General Data Protection Regulation, more commonly known as the GDPR, brought to everyone's attention the importance of protecting personal data.

The GDPR affects the use, storage and other processing of personal data, i.e. information relating to an identifiable living person, ranging from a name and address, to bank details and ID numbers and includes a host of other identifying information .

Whilst the GDPR was an evolution rather than a revolution of the previous regulations governing personal data, the introduction of fines up to €20 million or 4% of annual turnover (if higher) focused the minds of organisations on the importance of protecting personal data.

This article will look back at some of the action the UK's data protection authority, the Information Commissioner's Office ("ICO"), has taken since the introduction of the GDPR to guide schools and academy trusts when looking to improve their practice.

Enforcement action

The ICO made headlines in July 2019 when it announced its intention to fine British Airways £183.39 million following a breach of its security which led to the financial information of around 500,000 customers being compromised.

The key message here is that, even though this was a malicious cyber attack on British Airways, the company had failed to put in place appropriate security measures to protect the personal information it held. This reinforces the importance of network security in IT systems and of ensuring that adequate security measures are in place, which are both key parts of any risk management strategy.

The National Cyber Security Centre provides useful guidance on the risks posed by internet systems and communications and identifies some key security controls that can be put in place. These range from straightforward measures, such as password protection of sensitive documents (to limit access to such documents) and the use of secure passwords, to more technical measures such as encryption as a means of increasing security.

Schools may be vulnerable to cyber attacks given the sensitive information they hold (including financial information) and the number of users able to access their IT systems. Appropriate training should be given to all members of staff to ensure that they can identify potential attacks and take steps to prevent such attacks being successful.

Audits of educational organisations

The ICO has undertaken several audits of academy trusts and other education institutions since the introduction of the GDPR, analysing their compliance with data protection law and advising on ways in which to improve data protection compliance moving forward.

Many of the reports are accompanied by an executive summary of the issues identified and suggestions for improvement. Some of the common suggestions from these executive summaries are:

  • Improved, bespoke training should be delivered to staff at an appropriate level and advanced training should be given to those responsible for data protection (such as the appointed data protection officer and those who routinely share personal data);
  • Responsibility for handling data protection matters should be assigned at a senior level to improve compliance;
  • Arrangements for sharing personal information with third parties need to be reviewed (both immediately and on an ongoing basis) to ensure they contain adequate safeguards to protect personal data. This applies equally to relationships with other data controllers (who decide what to do with the information they receive) and relationships with data processors (who handle personal information only on the instruction of the school).

In addition to the above, the ICO found that many academy trusts have failed to put in place some of the key documentation required under the GDPR (such as records of processing activities).

Schools and academy trusts should use the ICO reports to identify and address weaknesses in their own data protection compliance.

Further guidance available

There are many general and school-specific data protection guides available.

A good starting point is the Department for Education's Data Protection toolkit for schools. The ICO's website has education-specific FAQs, which were prepared in the lead up to the GDPR, alongside a wide range of other resources and guidance addressing specific issues of GDPR compliance.

Wrigleys' education team have data protection experts who have already worked alongside schools and academies to assist in reviewing and updating data protection compliance and to provide general and specific training.

If you would like to discuss any aspect of this article further, please contact Nick Dunn, Sue King or any other member of the Education team on 0113 244 6100.

You can also keep up to date by following Wrigleys Education on Twitter here

The information in this article is necessarily of a general nature. Specific advice should be sought for specific situations. If you have any queries or need any legal advice please feel free to contact Wrigleys Solicitors




Nick Dunn View Biography

Nick Dunn


22 May 2024

Beware of Companies House scam letters

Fake Companies House letters are asking for payments via QR code. We urge clients to stay vigilant and to be alert to these fraudulent requests.

16 May 2024

Considering the validity of existing LPA’s

Further to the recent decision in TA v The Public Guardian [2023] EWCOP 63

14 May 2024

Office for Students opens consultation on freedom of speech guidance

The latest consultation follows previous consultations on the new OfS complaints scheme and its proposed approach to regulating students’ unions.