Over the next few weeks I will be publishing a series of blogs focussed on the General Data Protection Regulation (GDPR) and its implementation in schools, academies and trusts. The first of my posts focusses on the information overload currently facing schools and academies.

On 25th May 2018 the GDPR comes into force and will replace the existing legislation (Data Protection Act 1994) governing the use of personal data. Organisations that deal with people’s information are being advised to take reasonable steps in readiness for the implementation of this change in law.

In the education sector the subject of data protection has long been veiled in mystery. There are plenty of well-established myths regarding the complexity and the apparent burden that goes into achieving compliance and avoiding budget breaking fines from the Information Commissioner’s Office (ICO) if data protection goes wrong.

Recently, the smoke and mirrors which surround these challenges appear more disorientating and confusing than ever. Schools have found themselves bombarded with a flurry of “helpful” guidance about what to do to prepare for GDPR from suppliers of products capable of performing all sorts of wonderful tricks to assist with data protection. This illusion is persuasive and the threat of increased fines is being successfully used as leverage against school leaders already drowning in huge amounts of data.
The reality is that there is no magic software solution to purchase, or training seminar to attend that provides a quick fix solution for GDPR compliance.

Compliance is, of course, only the first stage in an evolving process that should permeate through decision making in schools. Accountability for data protection under GDPR has not changed significantly, but there is a greater emphasis on how leaders and Governors evidence that they have considered the potential risks of using personal data in new ways.

Providing schools have been proactive in their approach to compliance with existing data protection law, the additional steps that GDPR will require should be achievable without large scale investment in either infrastructure or resources.

Knowing which advice can be trusted is a challenge, but there are some reliable sources that provide concise and balanced guidance for schools. The ICO website is a sensible first port of call, with plenty sector specific advice available:


I would strongly advise schools and academies to steer clear of snap purchases and instead focus on taking some measured steps towards understanding where and how all personal data is being used in their organisation. Take care to include any data sharing, or access to data that may occur between your school and service providers.
Securing early buy-in from senior leaders, governors or trust directors and training all staff on the basic principles of using personal data will help to underpin support for any changes which may need implementing. Identifying potential areas of risk is a sensible next step along with a plan for what should happen if things go wrong.

Check that your school has policies, procedures and a Privacy Notice that describe your organisations approach to data protection and that these are available on your school/trust website – transparency is a key aspect of GDPR.
Whilst this list may already look extensive, don’t panic! The GDPR will require you to take advice from an expert who can guide you through the confusions of data protection, revealing any unnecessary sleights of hand along the way.

Now, where do schools conjure up an expert of this nature? This is another trick completely and the subject of my next blog!

James Plant is the Operations Director at S4S and specialises in supporting schools and academies with all matters of data protection.

For more information about how S4S support schools, academies and trusts, please contact us:
email: info@services4schools.org.uk
Telephone 01902 203990