Gary Hibberd


Author: Gary Hibberd

Date: 30th June 2020


GDPR means schools and the education sector need to apply some critical thinking and common sense to the application of the regulation within their institution. Unfortunately, this has proven difficult for many.

When the General Data Protection Regulation (GDPR) came into force on the 25 May 2018, there seemed to be a lot of people running around desperately trying to understand what it meant to them, and trying to make sense of this new regulation.

Although organisations had, since 2016 to prepare for this regulation, many seemed to be caught like rabbits in the headlights! In part, this was due to the plethora of other regulations this sector already has to comply with, and because of the influx of GDPR’ experts’ suddenly flooding the market.


Do what is right, not easy.

From April 2016 every organisation and institution had been informed that this new regulation was coming in and that they had two years to transition. So why were schools so ill-prepared? Could pupils now arrive for exams stating, “What? You need evidence I’ve done my work? But I’m not ready?! Yes, I know you told me repeatedly for two years, but it’s not easy.”

Of course, we know that schools have an incredible job to do in very challenging times. Budget cuts and staff shortages combine with an increasingly disenfranchised client base. Children have their own issues which they bring into the classroom, and we expect our schools to pick up parenting and caring, where sometimes it is missing at home.

Those in the education sector are under incredible pressure from a number of directions, so can understand that many found the GDPR challenging to understand and fully integrate.

But the GDPR is nothing new.


Data Protection – 1998

In 1995 the UK was given the EU Data Protection Directive, which became the UK Data Protection Act 1998. So for more than 20 years, we have had eight principles which every organisation and institution processing and controlling data, had to follow. So why then did the GDPR, with the following six principles give everyone such a headache?

1. Personal data shall be processed lawfully, fairly and in a transparent manner

2. Personal data shall be collected for specific, explicit and legitimate purposes

3. Personal data shall be adequate, relevant and limited to what is necessary

4. Personal data shall be accurate, and where necessary, kept up to date

5. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary

6. Personal data shall be processed in a manner that ensures appropriate security of Personal Data


That was then. This is now

In 2020 I see schools who are still confused about GDPR and are looking for guidance on what they need to do to be compliant with the regulation. Of course, every school is different so no blog can answer all the questions they have on this topic, but some of what follows should help. If it doesn’t, then you should get in touch and tell me what your particular issues are, and perhaps we can help.


Assign an Owner

Assigning responsibility for managing your Data Protection compliance programme is a great way to ensure you’re doing the right thing in relation to the GDPR. 

If you’re hiring a Data Protection Officer or assigning this role to someone, then remember that the role can’t conflict with other duties. So you can’t have the ‘Head’ of the school as the DPO.

Notice also that I said assigning responsibility for the compliance programme. The protection of Data is everyone’s responsibility, so please ensure you communicate that fact.

Know your Data

As a school, you are the Controller. You set the rules around what, how and why you are collecting Data. But do you know what Data you hold? Do you have a ‘Records of Processing Activities’ (RoPA)?  If you don’t, then now is the time to create one. If you do, when was the last time you looked at it?

You can’t protect what you don’t understand, so seek to understand what Data you are processing, who you are sharing it with and what controls are in place to protect it. Ensure you have completed Data Protection Impact Assessments (DPIAs) for your core processes.

This does not happen overnight, but with some careful assessment, you will begin to identify areas of weakness and vulnerability, and can then act accordingly to protect it. You will have a much better chance of seeing what operational and technical measures you need to put in place to protect the Data.


Develop Policies and procedures

There are a number of policies and processes which I would say are key to a successful GDPR compliance programme. If you don’t have these in place, or you’re unsure how well understood they are, then you need to re-assess them and re-engage with them. 

At a minimum you need the following;

– Data Protection Policy

– Data Retention Policy (and schedule)

– Privacy Notices

– DPIA Process (including register)

– RoPA Process

– Supplier Data Processing Agreements

– Supplier Register

– Subject Access Requests (SARs)

– Cyber Incident and Data breach Management

Of course, there are many other organisational and technical processes you need to consider, but your Data Protection Lead should advise what these are. But for now, focus on the above and build from there.



Like many things in life, GDPR can be seen as painful and complicated. But in truth, if you approach it in the right way, with the right mind-set, then GDPR is nether. It is complex, because it is a law and it is an outcome-focused regulation. This means that ‘it depends’, is a phrase you’ll hear a lot when people talk about GDPR. How you apply GDPR depends on the size and complexity of your school, the kind of children you’re working with, their age, the Data you collect, and who you share it with.

How you protect Data ‘depends’ on so many things, and what is ‘appropriate’ and ‘necessary’, will all ‘depend’ on this assessment. So GDPR means schools and the education sector need to apply some critical thinking and common sense to the application of the regulation within their institution.

It’s not difficult.

GDPR is there to protect the rights and freedoms of Data Subjects; And none are more deserving of this protection than children. I know that the education sector understands this, and I hope they’ll reach out to the experts around them if they are struggling. 

Other resources

Case studies

Our cyber consulting team works with clients from public sector bodies and global businesses to SMEs and start-ups. Read our success stories here. Learn more >


See what our team have been discussing around current issues in regulation and data security, and recommended processes and policies that will benefit your business. Learn more >


In our collection of whitepapers, Cyberfort’s cyber consulting experts explore issues from cyber threat intelligence to incident planning and data security. Read our whitepapers to help make informed decisions for the benefit of your business.Learn more >