Close Video

GDPR for schools: how will the new data regulations affect my school?

24 May 2018

The new General Data Protection Regulations (GDPR) come into force on 25 May this year, but what will it mean for schools? We take a look at what you need to know and what you need to do to make sure you’re ready.

What will happen on 25 May 2018?

Subject requests

From 25 May, any data subject (that’s someone whose data the school holds) can exercise certain rights with regards to their data. This means that a parent could ask for a school to produce all data it currently holds on their child, or a job applicant could ask you to erase all their details. Under the new law an individual could ask for their data in a portable form so they can pass it on to another organisation.

The school would be legally obliged to carry out these requests within 28 days of the request being given.

Although individuals were previously allowed to request access and an amend to any inaccuracies, they now have additional rights and the £10 fee has been waivered.

“People are becoming more aware of their data rights,” says Williams, “The volume of subject access requests has been rising but that’s just a general societal phenomenon, as people realise their data has value and have become a lot more curious about what people are doing with it.”

Reporting a breach

From 25 May, if you’re informed of a breach to someone’s personal data, you may be required to inform the ICO. Under serious circumstances you may be required to inform the individuals whose data has been put at risk.

Classroom teachers

With the increased emphasis on accountability will come more pressure on leaders to ensure their staff receive the necessary training. Systems in place will also impact anyone who handles personal data, even if that’s an attendance register.

Key changes for teachers:

Reporting a breach: teachers must understand what constitutes a breach and, if they suspect a breach has occurred, report it to their DPO.

Introducing new systems: if teachers want to introduce a new piece of subject-specific software or use any new processing system there needs to be a clear process in place to inform the DPO and ensure it is done compliantly.


Back to news