6 Years On: Why Your Data Protection Culture Matters

Posted  5th June 2024

This is a summary taken from Judicium’s Data Protection ‘Sofa Session’ from the 5th of June, with our Data Protection Consultant Bethany Parker. This session focused on what we mean by adopting a privacy by design approach, why policies and procedures matter, and our top tips for adopting and embedding a data protection culture.

Data Protection and Digital Information Bill

The new Data Protection and Digital Information Bill was at the committee stage in the house of Lords. There was potential for this to receive royal assent this year, but it will need to be re-introduced in the next Parliament as it has not passed before the general election. Hence now is a great time to review the UK GDPR 6 years on. 

The General Data Protection Regulations remain the same, but organisations, and schools in particular, have had to meet lots of challenges when dealing with higher complexity requests and queries.

UK GDPR

It is about starting from the top down because developing a culture takes senior leadership awareness and implementation.  

As the onus is on organisations, and ultimately an individual’s right to refer to the regulator, it is vital to embed a data protection culture. If things do go wrong and the Information Commissioner’s Office become involved in a complaint, breach or request process, they will consider the measures you have put in place around data protection by design. The ICO can issue an enforcement notice against you for any failings in respect to section 25 UK GDPR. 

With the development of technology as well as individual knowledge and awareness, schools are coming across more specific, complex queries around how data is being processed, including questioning the lawful basis applied to that data and why data is being shared with other organisations, software or systems. 

Data protection officers (DPOs) at Judicium have seen in the last few years how these complex queries now further blend with other areas in schools. For example:
  • where does human resources come into play with drafting data protection compliance into contracts?
  • when safeguarding challenges meet data protection obligations

At these opportunities, although a DPO will advise on the data protection elements, it is vital there is an awareness of the cross advisory work which is often involved. 

Privacy by Design and by Default

Under UK GDPR, section 25 specifies requirements for data protection by design, this means considering data protection and privacy issues upfront in everything you do, taking full consideration of cost, nature, scope, context and purpose of processing as well as risk, likelihood and potential severity of the rights of individuals.

By default, also follows this approach, but outlines that measures need to be in place to limit the data sharing to what is necessary for each specific purpose. By default, personal data is not made accessible more than necessary. And above this default, steps are taken to review the design. 

The best way to think about this is to focus on integrating data protection legislation, guidance and key principles into everything you do and following the accountability principle by having a record of processing activities to recognise the purpose, lawful basis and scope applied. 

For schools the focus in 2018 was foundation level understanding of introducing processes above what was in place from DPA 1998 previously and to formalise the new legally required data protection impact assessment process.

Slowly, with greater knowledge, schools have moved from foundation understanding to recognising and asking further questions to third parties. They’re utilising the role of their data protection officer to advise on any further technical or organisational measures which should be undertaken to lower any potential risk. 

Poll 1

Poll 2

High Complexity Queries

Artificial Intelligence (AI)

With the rise in the use of AI, it has become a new field to recognise and navigate since the introduction of GDPR in 2018. This means higher complexity risk assessments need to be conducted by your DPO and implementing new policies or adapting acceptable use to cover this new element.  

Complex Subject Access Requests (SARs)

Individuals are generally asking for more specific data with stronger awareness, or calling into question exemptions which have been applied more than they previously would. This means when schools are applying the ‘safeguarding’ exemption, it is a prime example of seeking expert safeguarding advice to justify why it has been withheld. Especially if the individual complains to the ICO, schools will need to be able to evidence this review. Ultimately, a DPO can advise on the exemptions available to schools, but other teams will have more context around complex SARs to aid in justifying any exemption. 

Retention Queries

The development of retention queries is a specific example of retention being called into question. This leads to a higher onus on schools and trusts to frequently review both electronic and paper records held, and to justify the length of retention. 

Email Retention

Emails have been commonplace, but with the rise of data subject access requests (SARs), especially due to increased parent awareness, a common issue remains around the number of emails captured. We advise our clients to implement email retention policies of 2 to 5 years, which reduces workload in relation to SARs and falls in line with the data minimisation principles under UK GDPR. However, there is complexity in any emails that would require storage. It’s important to analyse the necessity, purpose and recognise where it is more beneficial to store.

Poll 3

Policies and Procedures

As you can imagine, when 2018 came along schools and trusts needed to ensure core policies were in place to outline the new data protection obligations set out in GDPR, including recognising the new DPO role, further individual rights, higher transparency and accountability and a focus on reporting to the regulator.  

Therefore, schools and trusts initially started with a data protection, breach and retention policies and a privacy notice for staff and parents and pupils. This would effectively outline the processes in place, individual’s rights, recognising the DPIA process and being transparent of third-party data sharing.

Moving forward six years, policies have adapted. As individual’s have become more aware and ask further questions, this has required further adaptations and policies such as social media, electronic communications, online safety, cyber security. These all play a part in outlining the link to data protection and ensuring individual’s rights are protected. With the progression and further adoption of Artificial Intelligence, it is important to stay ahead of the technology with a policy to outline your guidance. 

Overall, the progression of policies and transparency of your approach and data processing are in place to safeguard your school, reduce the risk of liability and promote consistency across the organisation for employees, pupils, parents, governors and all other stakeholders. 

Key Takeaways

All staff require: 
  • Up to date data protection training and awareness
  • Adequate policies, procedures and information accessible to them
  • Beneficial processes and day-to-day guidance (such as being aware of data request and data breach internal processes, of strong IT practices and overall DPO connection and utilisation).

Data protection culture is ultimately linked to staff awareness. Being able to keep an honest, open-door policy six years on with training and support provided from your DPO or SLT is essential.

Additional Info

You can find information regarding our School Data Protection Officer (DPO) service here.

If you’d like to review Judicium’s forthcoming Sofa Sessions please click here.

Jedu is Judicium's online GDPR compliance tracking software for schools. Our platform is suitable for single schools to large MATs and is designed to assist schools with two critical needs: To enable trustees, Governors and other SLT to monitor GDPR compliance; and to assist you managing your data protection.

If you would like more information on how we can support you or more information regarding Jedu, please get in touch with us.

If you require any support in any of these steps or would like to talk to someone surrounding some support for your school, please do not hesitate to call us on 0345 548 7000 or email georgina.decosta@judicium.com.

 Follow us on Twitter: @DPOforSchools and @JudiciumEDU

© This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you with access to our sessions and/or follow up content.


The Rise of Internal SARs from Staff and How it Affects HR Processes
  October 02 2024

This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 2nd October, with our Data Protection Consultant Sam Hall.

Read more

Get your Data Protection Ready for Summer Holidays
  July 10 2024

This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 10th July, with our Data Protection Consultant Lane Baker.

Read more

Data Protection: Demystifying Data Mapping
  May 08 2024

This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 8th May, with our Data Protection Consultant Jessica Gant.

Read more

Data Protection: What is a Lawful Basis?
  March 20 2024

This is a summary taken from Judicium’s DPO ‘Sofa Session’ from the 20th of March with Data Services Consultant Patrick Ballantine.

Read more

Tricky Subject Access Requests
  February 14 2024

This is a summary taken from Judicium’s DPO ‘Sofa Session’ from the 14th of February with Data Services Consultant Sam Hall.

Read more

A Guide to Subject Access Requests in 45 minutes
  January 16 2024

This is a summary taken from Judicium’s DPO ‘Sofa Session’ from the 17th of January with Data Services Consultant Laura Butler.

Read more