• Careers
  • Contact Us

GDPR - 25th May - Deadline or Start Line?

on Tuesday, 08 May 2018.

It will not have escaped your notice that the General Data Protection Regulation comes into effect on 25th May.

Many schools are reporting that they still have work to do. We would like to reassure you of the recent message from Elizabeth Denham of the ICO "For those that still feel there is work to be done – and there are many of those too – I want to reassure you that there is no deadline. 25 May is not the end. It is the beginning". 

It is our view that the ICO will focus on an organisation's compliance journey when considering compliance, albeit that we will all be expected to prioritise high risk areas, such as information security and fundraising without delay.  

There is a wealth of materials available to help schools with GDPR compliance. The ICO has updated its own resources which may be helpful. Their GDPR guide contains useful guidance, toolkits, checklists and FAQs based on real queries received by their customer contact team. In addition, the ISBA have some GDPR-related resources which are available to members and the DfE published a Data Protection toolkit for schools on 23 April, although this is still expressed to be a 'beta' version and subject to ongoing consultation and refinement.

We are reviewing all available guidance and have detailed sector-specific documents, training and resources to help schools with their GDPR obligations. We consider the following to be essential documents:

  • A Data Protection policy for staff;
  • An Information Security policy (which could be part of, or separate to, the Data Protection policy);
  • An Information and Records Retention policy; and
  • Privacy Notices for pupils, parents and staff (including prospective, parents and staff). Privacy notices are an explicit requirement under the GDPR.

In addition, it will be necessary for schools to update many other contracts and policies to ensure compliance with the GDPR and the expectations of transparency at its core. We would recommend that you focus on Employment and Parent contracts first, and then on other high risk areas, such as third party contracts, fundraising, bursary and credit control materials.   

Training - GDPR Events and MyOnStream

We have been delighted to welcome many of you to updates and GDPR-related events which we have run or at which we have spoken at over the last year or so. We will be speaking at the upcoming ISBA National Conference in Brighton on 10 May and will be happy to answer your questions there. 

Many schools have recognised the value of training all school staff on the essentials of data protection and information security, to introduce their new policies, to reinforce learning and help manage data compliance and to manage schools' exposure in the event of a breach. To help schools deliver this, we have developed an e-learning solution 'MyOnStream' which enables you to train all staff via an online platform, which includes school-focussed training, a quiz to test understanding and confirmation that staff have read and understood your staff privacy notice and up to date policies and procedures. 

To find out more about how our MyOnStream product can help you and your school, please click here.


For more information, please do contact Andrew Gallie in our Data Protection team on 0117 314 5623.

Leave a comment

You are commenting as guest.