'GDPR three years on – Is it part of your school’s culture?' - Judicium in The Headteacher

'GDPR three years on – Is it part of your school’s culture?' - Judicium in The Headteacher

Posted  15th February 2022

Craig Stillwell urges schools to make data protection much more than a box ticking exercise...


Remember what you were doing on Friday, May 25, 2018?

With all that’s been going on since then you’ll be forgiven for not remembering without looking back at your calendar, where you’ll probably find some reference to the EU’s General Data Protection Regulations (GDPR) because that’s the day when they came into force.

The regulations defined how organisations, including schools and multi-academy trusts, should store, use and send information relating to ‘data subjects’, including children, parents and staff.

The introduction of GDPR just over three years ago was important because it ushered in a new era of data regulations and correspondingly increased our awareness of our rights and responsibilities when it came to the storage and use of the data.

A lot of turbulent water has rushed under the bridge since then. The UK left the EU at the end of 2020 but UK data protection laws, now known as UK GDPR, continue to be closely aligned to EU GDPR, at least for the time being. The regulations created a big shift in the way schools handle data and deal with data requests. There is now a higher awareness of data security and privacy but that wasn’t always the case.

Five years ago data requests were so rare in schools that they barely existed. Now, if I polled schools I would say that at least nine in ten would say that they had at least one data request of some description.

Data requests are now commonplace and often emerge when there is some kind of difficult situation, disagreement or concern. Requests from staff could be linked to performance or conduct issues. With parents it may be associated with an incident with a child. Changes in regulations, such as safeguarding legislation, can also result in more data requests.

So, the demand is there and growing and as a result schools have to ensure that they are on top of GDPR or they risk a breach of the regulations which could result in them being reported to the Information Commissioner’s Office.

Changing approaches

In those three years since the introduction of the regulations the approach schools take to data protection has changed in many ways. And in some ways it has changed very little.

A study of the processing of personal data in 11 multi-academy trusts published by the Information Commissioner’s Office (ICO) reported plenty of areas of good practice, but also highlighted a range of areas where practice needed to improve.

These included the management of information risks; the report suggested that 63 per cent of MATs did not sufficiently manage these risks because they did not have a specific information risk register in place identifying the key information risks at academy and trust level, with no assigned risk or information asset owners. Although the study was carried out two years ago, the same issues still occur.

Who takes responsibility for the role of DPO is one area that has changed. When the regulations came in, that role was often taken by someone internally. This may have been the school business manager or another member of the SLT. That approach has created problems.

Although the regulations say nothing about who a DPO post holder can or can’t be, it does require the person responsible to have expertise in the area of data protection and that the role must not result in conflicts of interest with their primary responsibilities.

Rule of Thumb

The more senior you are, the more difficult it is to be a DPO. If you are, for example, a DPO who is a school business manager you might suggest that the school buys a new photocopier.

In order to comply with data protection regulations you would, as a DPO, recommend features that complied with data protection regulations, such as requiring a code to release print jobs.

But if your management team then recommends against it because of cost then this could create a clear conflict of interest. A good rule of thumb is to avoid any situation where responsibilities of allocating budgetary resources overlap with doing what is best for data protection.

The UK GDPR says that you should appoint a DPO on the basis of their professional qualities, and in particular, experience and expert knowledge of data protection law. That level of knowledge and experience is, of course, rarely found internally so DPOs are increasingly appointed from external organisations.

Although most schools took heed of the regulations back in 2018 some thought that they could comply by adopting a few policies and then assume that from then on they would be compliant without having to do very much more.

That approach may have been fine at the start but compliance means that data protection should always be front of mind or, to paraphrase the guidelines, data protection by design and default. For example, if your school is about to buy a new piece of technology, such as new laptops, or a service such as a new learning platform, then issues such as security of any personal data generated should be considerations as important as cost.

If schools can embed this data protection awareness in their cultures then they are far less likely to come up against data protection issues in the future.

Here's what you need to do

So, how can you build awareness of data protection in your school? Here is my advice:

  • Train - you may have enrolled staff in training in 2018 when the regulations came in but it's important to update their knowledge every couple of years, ideally annually.
  • Build day-today awareness - Flag up the regulations and the role of the DPO with updates about policies, recent incidents and risks to watch for at team meetings or briefings. Posters highlighting GDPR and data risks in key areas such as reception, offices, PPE rooms and the staffroom will provide a useful reminder
  • Keep up to date - Ensure that policies and notices are up to date and accessible, ideally via a central folder
  • Data protection from the off - Start completing data protection impact assessments when using new apps or software
  • Audit - Carry out an audit of data use and risks in your school. This can be done as an internal audit but is more effective if you ask an external expert to come in. Share compliance and progress with the SLT and governors
  • Use your DPO - Ask them if you have a question or concern about data protection

Craig Stilwell is Head of Data Services at Judicium Education. For further information and advice on GDPR for schools and our data protection service,  click here.