• Careers
  • Contact Us

GDPR, One Year in - 4 Data Protection Takeaways for Academy Trusts

on Wednesday, 26 June 2019.

The GDPR and the Data Protection Act 2018 have been in force for over a year now. This article details what we've learned and the significant points for trusts to consider as we enter the second year of the new regime.

Data Breaches Are Often Preventable

With the benefit of hindsight, there is usually action that a trust could have taken to prevent a breach, or at least lessen its impact.

In particular, we've noticed that most trusts could do more regarding:

  • Implementing Effective Training for Staff
    Human error plays a large role in why incidents occur and this can be guarded against with good guidance for staff. Training which is not practical or engaging is unlikely to be sufficient. Not only will training help prevent breaches but will often count as a significant mitigating factor in the eyes of the ICO should something go wrong.

  • Ensuring That Their Network and IT Systems Are Secure
    Data breaches are happening because schools are not implementing basic technical measures.

Accountability Is a Key Part of GDPR Compliance

Under the GDPR, it is not enough to simply comply, you must also be able to demonstrate how you are complying through documentation. We've noticed that whilst most trusts have some policies in place, many lack all of the required documentation (eg a record of processing activities, records of consents) to show compliance. We are aware of Freedom of Information Act requests being made for certain data protection documentation.

People Are Increasingly Aware of Their Rights

It's not really a surprise that trusts have received a large number of subject access requests (SARs) since the GDPR came into effect. What was less expected is the number of people complaining about other aspects of data protection, for example, about academy trusts sharing their personal data with another organisations.

Trusts with procedures in place to deal with the exercise of rights (eg SARs) are in a much stronger position when up against the ticking clock of the statutory deadline. In addition, seeking legal advice at an early stage is helpful because there are often strategic considerations which should not be left until the last minute.

Banner MOS Elearning Jun19


Don't Forget Organisations Connected to Your Trust

Trusts understandably have focused on the compliance around their core activities. However, there are data protection considerations in relation to connected organisations, such as trading subsidiaries, and PTAs.

For example, if a connected entity is a separate data controller, they will have to pay the data protection fee to the ICO unless they are exempt. Farrow and Ball recently lost their appeal against the ICO's £4,000 fine for failure to pay the fee on time.

We have also developed a Data Protection Manual containing key documents and policies for data protection compliance, including all of those which are explicitly required by the GDPR and the Data Protection Act 2018. Please contact us in the usual way if you would like to find out more.


To ensure your trust is compliant with data protection law, please speak to Claire Hall in our Data Protection team on 0117 314 5279, or complete the below form.

Get in touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

How can we help you?(*)
Please enter your message.

See our privacy page to find out how we use and protect your data.

Invalid Input