Reforms to data protection under the General Data Protection Regulation come into force May 2018

09 January 2017

From 25 May 2018 the Data Protection Act (DPA) will be replaced by the General Data Protection Regulation (GDPR). These new EU regulations are intended to strengthen and unify the safety and security of all data held within an organisation.

Under the DPA, schools and colleges have a duty of care to ensure that the data they have is kept safe and secure but the GDPR will fundamentally change the way organisations, including schools and colleges, manage data and information and will bring increased responsibility to ensure all data is managed in the right way. A clearly defined e-safety policy is vital to ensure all key stakeholders know what they need to do to remain compliant of the GDPR. 

Changes include:

  • Under the GDPR it will become illegal not to have a formal contract or SLA with your chosen data processor. Currently there is no such obligation (although it is good practice to show due diligence when choosing an IT recycling partner).

  • Minimum competencies and accreditations of your chosen IT recycling partner/data processor - using one who does not meet these competencies will become a criminal offence. 

  • Higher penalties for non-compliance.

The Information Commissioner’s Office (ICO) suggest a number of ways in which organisations such as schools and colleges can prepare for these changes and has published a 12-step checklist. In summary: 

  1. Awareness:  ensure decision makers and key individuals in your school or college are aware that the DPA is changing to the GDPR. They need to appreciate the impact it will have and how the new legislation will affect your institution. 

  2. Information you hold: organise an information audit and document the personal staff and student data you currently hold, where it came from and who it is shared with.

  3. Communicating privacy information: review your current privacy guidance and put a plan in place for making any necessary changes in good time.

  4. Individuals’ rights: check your current procedures to ensure they cover all rights of individuals, including how personal data is deleted, or how data is provided electronically.

  5. Subject access requests: update your procedures, plan how you will handle requests within the new timescales and provide any additional information.

  6. Legal basis for processing personal data: review the various types of data processing you carry out, identify and document your legal basis for carrying it out .

  7. Consent: review how you are seeking, obtaining and recording consent and whether any changes are required.

  8. Students: start thinking what systems you are going to put in place to verify individuals’ ages, and to gather parental or guardian consent for the data processing activity.

  9. Data breaches: ensure you have got the right procedures in place to detect, report and investigate a personal data breach.

  10. Data protection by design and data protection impact assessments: consider when to begin implementation of the Privacy Impact Assessments at your school.

  11. Data Protection Officers: designate a data protection officer or an individual to take responsibility for data protection compliance.

  12. International considerations: consider the implications for those organisations with international operations.


The following information may also be useful: 

ASCL is in discussion with the Department for Education about the implications for schools and colleges, and the provision of detailed guidance for them about the changes. More information will be provided on the website as it becomes available.