GDPR for Schools – a Primer

The General Data Protection Regulations (GDPR) is the hot topic of 2018. Never before have we witnessed a piece of legislation having such an impact on a wide range of sectors. What does this evolved approach to data protection mean for the education sector?

Data protection in the education sector has had a challenging past. On one hand, it has to ensure that the personal data about pupils and staff have been kept secure and used for only permitted reasons. However, on the other hand, it has led to a lack of clarity about how and when schools and other areas of the public sector could share information about those same pupils and staff. The GDPR brings much welcomed clarity to use of personal data across the European Union.

What is the GDPR?

The GDPR updates the current laws on data protection across Europe, such as the Data Protection Act, and creates a single standard for organisations to comply with when handling personal data about European citizens. It introduces stricter fines for non-compliance, gives individuals greater rights over their personal data, and makes individual organisations such as schools fully accountable for their handling of personal data. The aim is to strengthen data protection across Europe in today’s digital and connected world. The GDPR takes full effect on 25th May 2018 and organisations across the globe are busy putting their data house in order.

GDPR and Schools

The education sector is one of the primary sources of personal data. With information about pupils, their families, staff, and suppliers, educational institutions are the bastions of a wealth of highly sensitive information. From information about pupil’s educational needs, whereabouts, and health requirements to the information collected in CCTV other means of surveillance; educational organisations have a special duty of care over the information it holds.

In order to comply with the GDPR, schools, colleges, and universities must put in place a data inventory setting out all of the information it holds, why they hold it, how they use it, who they send it to, and how long they keep it. This is no easy task and will require a detailed review of data processing activities for data in filing cabinets and held in IT Systems.

Educational institutions will need to ensure that they have GDPR compliant contracts in place with the companies who help them to manage or have access to their data. These contracts must have a key emphasis on security and set out the steps to be taken in case of a data breach. The GDPR will require schools to report any data breach that could impact individuals directly to the regulator within 72hours of the incident.

A failure to comply with these measures could result in a hefty fine. The fining powers for the Information Commissioner’s Office, the UK Data Protection Supervisory Authority, has increase from a maximum of £500,000 to up to €20m. Not a small sum at all. What’s worse than a fine is the reputational damage that can result from data protection breaches.

Next Steps?

If you have not started preparing for the GDPR already you should start now. The first port of call should be building the data inventory and then ensuring that the privacy policies and notices you issue reflect what is happening in the school.

Educational institutions should also consider holding a data hygiene campaign as a way of disposing of data they no longer need to hold. Limiting the amount of data you retain will reduce risks of non-compliance dramatically.

I am a school and I just need the highlights – Gimme the GDPR Top line


Every organization that processes any personal information of any living individual in the EU must comply with GDPR. This means, literally, EVERY organization… Let me emphasize this again: E V E R Y organization that processes A N Y personal information of A N Y living individual in the EU (whether that individual is a citizen, resident, visitor, or transit passenger) must comply with GDPR. This means: whether you are incorporated or not, whether you are a 10 million employee or none strong business, whether you are profitable or not profitable, whether you are for profit or not for profit, whether you are giving away or selling services/widgets, and whether you are located in the EU or not – as long as you are processing A N Y personal information of A N Y living individual in the EU you are subject to GDPR.


Personal information (also referred to as “personal data”), is now more broadly defined. In essence, any information that can identify a living individual in the EU whether directly (e.g., name and email) or indirectly (.e.g., IP addresses, customer numbers, and invoice numbers. In essence, indirectly means that if I combine information with some other information, and then once co-mingled, I can identify a person) is considered personal information and is subject to the protection under the GDPR.


Informed consent is key. This is particularly important for schools who teach minors, i.e., students that are under 16 are considered minors and cannot provide “consent” under the GDPR. Therefore, you will be required to ensure parent or guardian consent for the processing of any information of minors. In addition, if you are dealing with students of the age of 16 or older, you will still need to be very careful to ensure that your consent notices are understandable by those students. The consent requirements under the GDPR have become much more burdensome. You can no longer simply generalize and say: for “personalisation” purposes we need all of your information including your hair colour, eye colour, height, weight, address, purchasing habit, interests, hobbies, job, income bracket, name, address, email address, telephone, etc. Now you need to clearly explain why you need certain personal information and, indeed, you need to have the person opt in to give you consent to collect and process that information exactly as you have described – not more, not less. Any deviation of your use or obscurity of the explanations is a violation of the GDPR. But, hold, that is not all, you also need to give much more information and certainty about with whom you share the personal information and how you will protect it when handing it over to a third party. Bottom line is the “old” pre-ticked box indicating that the individual has read and understood and, indeed, agrees to all the nifty stuff you will be doing with his/her personal information is now as legal as yelling BOMB at the security gate at an airport (unless, of course, it really is one).


You are responsible for your third party providers as much as the third party provider is responsible for its own actions. These kind of third parties are, in the data protection world, called: data processors, i.e., companies that collect and/or process personal data for a customer organization (I am sure you are using some of them or, maybe even providing some services to other schools), e.g., marketing lists providers, payroll, HR services, accounting services, cloud storage, website analytics, payment processing, logistics/delivery companies. There is also a party called “data controller” which is the organization that is actually responsible for the personal data that it has, e.g., it directly collects and processes the information (or asks a data processor to do so on its behalf) for itself. Important is that both, the data processor and data controller are directly liable to individuals if they mishandle their data and are subject to specific rules applicable to their role, e.g., as a data processor or data controller. Also, both parties are, legally speaking, “jointly and severally liable” for damages/fines (of course the processor would not be liable if it was just the controller’s fault, but the other way around is not assured at all).

• 72 HOURS

72 hours is the time that you will have to report any data breach to the relevant supervisory authority. In the UK this will be the Information Commissioner’s Office. Therefore, it is really, really, really important that you have a plan and procedure in place and have trained all of your staff on what to do during a data breach. Every second counts and failure to do so will open the door for these “infamous” fines that are in the supervisory authorities back pocket.


Data subject rights have grown significantly, i.e., there is now a right to be forgotten and there is a right of a data subject to request that his/her data is to be transferred to another third party. Also, data subjects can refuse their consent for you to process certain data and you must comply immediately with his/her request.

It is Important – Non-Compliance is really not an Option – it really is NOT!

• Audits/Orders

Under the new regime it is imperative that every school and business knows its obligations. There are major repercussions for non-compliance. These can start with compliance audits, reviews, and demands/orders which can lead to major disruptions of “business as usual”. Indeed, I doubt any of us would like to have someone snoop around to find out whether we have done something wrong. I mean, let’s be honest, for most of us, if someone really goes out of his/her way to find something that we did wrong, he/she most certainly will be able to find something. I mean, let’s call it by name… none of us are infallible.

• Reputational Damage

In addition, to the “auditing” and “ordering”, there is the reputational damage that your school may suffer. Nowadays most netizens and consumers at large are aware that they do have some privacy rights and that there are some obligations on the organizations that hold their personal data. This is even more the case when it comes to parents who protected their offspring. Therefore, data breaches, the inability to respond to requests by individuals with respect to their personal data, improper procedure to obtain consents for your processing of personal data, improper use of personal data – all do affect one’s reputation and will, in many instances, lead to student or funding attrition. Now, if a large company comes into the spotlight because of some misbehaviour, they can use their significant lobbying and communication powers and funds to overcome a large part of the negative impact of such a “reputational” nightmare or, at least, most likely wait it out until the communal memory has faded. Of course, it will hit their bottom line and may have some significant impact, however, they do have significantly more funds to survive such “negativity”. Most schools, on the other hand do not have those kind of pockets, connections, and frankly, financial stamina to survive the loss of, e.g., a major contributor or a number of minor ones. For most schools, virtually every student and contribution counts and thus, prevention is most certainly better than remediation after the fact. Therefore, compliance with GDPR is really not just for the big kahunas, but every single organization out there.

• Fines

And then, I am sure many have ready about it, there are the fines that the supervisory authority can impose upon the offending party. The maximum fines are a staggering €20 million (ca. £18,38 million) or 4% of global revenue, whichever is higher, per breach. That means, for virtually every school, the maximum fine that you can face is €20 million as you most likely have revenue of less than €200 million. It is important to understand, of course, that the supervisory authority will, most likely, not impose upon a school a school destroying fine of €20 million, but it certainly will be much higher than what we have seen in the past. Compare the £500k maximum fine of the current legislation in the UK vs. what will be, i.e., € 20 million or 4% of global revenue, whichever is higher – that is, if we take the € 20 million (£18.38 million) as the threshold fine, a 3,667% increase. Therefore, let’s take the news breaking fine of an SME of £60,000 back in July 2017 which is 12% of the then maximum fine (£500,000) that the ICO can impose. This would, if we take 12% of £18.38 million or 3,667% of £60,000, this would, under the GDPR regime translates to a whopping £2.2 million – ouch…MEGA ouch…is all I can say to that.

Scary Stuff – I am a School What Do I have to do now?


Conduct a full GDPR compliance review or audit. No matter how small you are, you should, at the very least be aware of the gaps and risks that you are exposed to. For example, do you have a website? If so, do you have a privacy policy on your website? Do you have a formal process to respond to a data subject access request? Do you have a policy and procedure in place to deal with data breaches? Do you train your staff regarding data protection? Do you have a retention policy and schedule? Do you have a consent process to ensure that for minor students you obtain parental or guardian consent? Are your data protection documents written in such a way that a 16-year old can understand them?


Once you have completed your own audit and, I assume, found some high level gaps, you should now budget time and money to fill the gaps. This will, for virtually all schools involve a full data inventory and process mapping. In essence, find out which systems/machines/software/procedures within your school process personal data. What kind of personal data you are processing, for what reason, with whom you are sharing the personal date, how you have obtained consent, and how you have secured the protection of the personal data either in your own hands or the hands of a third party. Map it out, spreadsheet it, and then use it as your foundation to build the framework around what you have discovered.

• A, B, C, D, E, F, G… H, I, J, K, L, M, N, O, P… Q, R, S, T…

Now that you have mapped it out, it is time to make your policy/procedural framework fit your business within the confines of the GDPR. For most of us, this will require a replacement or creation of various policies and procedural documents which includes privacy policies, cookies policy, data subject request policies, retention policy & schedule, and incident management policy & procedure.


You should identify all of your suppliers that handle personal data that you share with them and make sure that the personal data, when with the third party, is properly protected in accordance with the GDPR. This should already be evident from the data inventory exercise in 1 above. I certainly am aware that you may not be in a position to negotiate contract changes and if so, you should pick another provider or assess the risks to your school. Most certainly do not think that because a supplier is a mammoth, this puts you in the green. I know, from personal experience, even the biggest suppliers are all struggling with GDPR compliance. Therefore, keep in mind, regardless of whether you are the processor or controller, each have responsibilities under the GDPR and are subject to the repercussions of non-compliance and compensation claims by the other. In other words, if you are the processor and have breached the GDPR, you may be on the hook for some fines, but the story may not end there, because the controller (possibly another school for whom you are doing the HR or payroll) may come after you for some damages it may have suffered due to your breach of the GDPR such as loss of reputation, loss of revenue, etc.


Educate and train your staff on all of your policies and procedures. For example, train them on how they should handle a data subject access request, what they need to do during a data breach, how they must handle personal data, how they need to obtain consent from parents and guardians for minors, and your retention policy.


You need to make sure that you have proper IT security in place and have systems or processes in place that ensures that unnecessary personal data is not retained for an indefinite time and, indeed, used, for purposes other than what the individual has consented to. The IT security must also include access controls, encryption in rest and transit, firewalls, and malware detection.


Every single organization needs a data breach plan. We all know that if we do not know what to do in a stressful, panic filled situation, things get missed, forgotten, and delayed. Just think of fire drills or evacuations on airplanes. There is a reason why on every single flight there is a security/safety briefing. It saves lives. A data breach plan – saves schools and businesses.


Some business which are involved in significant processing of personal data will need to consider whether they need to employ a data protection officer.

• SOS – Help! – Hilfe! – Au secours! – ¡Ayuda! – Tarrtháil!

If you need help, here are various options out there from a legal consultant, an It consultant, a partly software solution with consulting, or an online GDPR framework solution.

Kim von Arx CEO & Samantha Simms Data protection officer

If you want to inquire about GDPR and have some questions about GDPR, feel free to reach out to d8amatiks at

Kim has over 18 years of experience leading TMT fortune 500s and start-ups to legal and privacy compliance as a GC, CPO, and advisor. He has held leading roles in global privacy policy developments and international NGO committees such as the ITU, UN, ICANN, and CENTR.

Please submit your comments below.

Share your expertise

Do you have something to say about this or any other school management issue which you'd like to share? Then write for us!

Share this article

© 2024 All Rights Reserved