The European Parliament has now adopted the General Data Protection Regulation (“GDPR”).

This new legislation will become law across the EU in May 2018. Even post-Brexit, the UK will have to comply with the GDPR so that UK organisations can continue to operate in the EU.

Because schools and academies hold and process personal data about their pupils, staff and parents, they must ensure that they comply by May 2018. The new rules will apply to all schools and academies, whether they are maintained or independent.

Headlines for schools and academies

  • Higher penalties – the maximum UK penalty for a data protection breach will increase from £500,000 to the higher of 20 million Euros or 4% of an organisation’s worldwide turnover.
  • Consent – consent given by an individual to the processing of their data will have to be “freely given, informed, specific and explicit“. Permission will have to be given by an individual for each different use of their personal data. This is particularly relevant where details of alumni are retained for fundraising purposes.
  • Children – specific protection for children using online services could mean that where pupils are required to sign up for apps in the classroom, or to enable to do their homework, consent will have to be obtained properly.
  • Subject access requests – when an individual asks for details of the data that is held about them, it will no longer be possible to charge a fee. The 40-day deadline for responding will reduce to one month. The individual will be able to insist that the data is supplied in a format that can easily be read by a computer, such as a spreadsheet.
  • Right to be forgotten – individuals will be able to request the deletion or removal of their personal data. This could include removal of photographs and information from a school’s website, as well as deletion of certain information from the school’s internal computer systems and files.
  • Notification of breaches – in most cases where breaches of data protection lead to unauthorised loss, amendment or disclosure of data, organisations will be under a new obligation to notify the breach to the Information Commissioner’s Office within 72 hours. Theft of an unencrypted laptop containing 100+ pupils’ dates of birth and exam results from a teacher’s car would be considered a serious breach requiring notification.

Next steps

Organisations must start planning as soon as possible to ensure compliance by May 2018. Steps include:

  • carrying out an audit of all personal data held about pupils, staff, parents and other individuals, where it is held, and who it is shared with;
  • reviewing the grounds used to justify data processing, including consent;
  • reviewing data protection policies;
  • appointing a Data Protection Officer; and
  • training staff on their new data protection responsibilities.

For further help, advice or information, please contact Louise Connacher or a member of the Data Protection team.

Please click here to learn more on:

  • Our training days
  • Our Education seminar which focuses on GDPR
  • Audits
  • Drafting policies
  • Advisory services to help ensure compliance with the new legislation

Please note this information is provided by way of example and may not be complete and is certainly not intended to constitute legal advice. You should take bespoke advice for your circumstances.

Get In Touch Today!

Get In Touch Today!

Please complete this form to make an enquiry and we will get back to you as soon as we can.

Remember you can still call us on 0333 323 5292 or email us at

  • This field is for validation purposes and should be left unchanged.