GDPR for schools: The complete guide to GDPR compliance

UK GDPR governs how we use, process, and store personal data. It applies to all organisations within the EU and those supplying goods or services to the EU or monitoring EU citizens. This includes schools. So how does the UK GDPR work for schools, how can you stay UK GDPR compliant, and what are the risks of non-compliance?

In this blog post, we'll cover:


What's the difference between personal data and special category data?

Any information that can be used to identify a person or their family is considered personal data. This would include their name, address, contact information, disciplinary history, as well as their grades and progress reports in school records. Even if an individual chooses to make this information public, it remains ‘personal’.

Special category data requires a high level of protection due to its sensitivity. Racial or ethnic origin, political or religious convictions, genetic or biometric data, mental or sexual health, sexual orientation, and trade union membership are examples of this type of information.


What does GDPR mean for schools in the UK?

When it comes to the UK GDPR, the education sector has it tougher than most because children's data needs special protection, and schools and colleges generally operate on low budgets, making it difficult to hire a professional data protection team.

UK GDPR requires schools to be more accountable for the information they collect. Therefore, all actions that do not comply with usual school procedures will require a student's full consent, particularly if data is handled by a third party.


How can schools become UK GDPR compliant?

When working toward UK GDPR compliance, there are a few key steps to remember. To begin, you must familiarise yourself with the UK GDPR legal framework. Make sure you understand the laws in place and the consequences if you do not achieve the appropriate requirements, such as:

  • Right to be informed
    Schools must ensure all staff and students are aware of UK GDPR, how data is collected and stored and the implications of a breach.
  • Right to give consent
    Schools should have systems in place that gather parental consent for data processing and also verify individuals’ ages. 
  • Right to know where your data is stored
    The school must provide visibility on what software is being used for teaching and data collection, such as teaching apps. 
  • Right to rectification
    The school must give the student the ability to request changes to his or her personal data if he or she believes it is out of date or inaccurate.
  • Right to erasure/right to be forgotten
    The school must give the student the ability to ask for the deletion of their data. This will generally apply to situations where the student's relationship has ended with the school. 
  • Right to restrict processing
    A student can exercise this privilege to request that his or her request (for example, a loan request) be examined personally because he or she believes that the automated processing of his or her loan will not take into account the student's individual situation
  • Right to data portability
    The school must allow the student to request that his or her personal data be relocated. The student may request that his or her personal data be returned (to him or her) or transferred to another controller as part of such a request.

Additionally, because schools are considered public authorities under UK GDPR, they are obligated by law to hire or appoint a Data Protection Officer.


What you need to know about data processing in schools

All organisations, including schools, can process data provided that they document a legal basis for doing so. These bases are, in many cases, very broad and will almost certainly align with your data processing practices under the UK GDPR’s predecessor, the DPA (Data Protection Act) 1998.

For schools, most processing can be justified on the grounds of public interest. This refers to any activity that is necessary to carry out a specific task that ensures the welfare of the general public or to exercise official authority.


What are the risks of non-compliance?

Being UK GDPR compliant is crucial in today's day and age when it comes to protecting students' data. In order to avoid and prevent data breaches and risk the security of teachers and students, schools must understand that complying with UK GDPR is extremely important.

Non-compliance can lead to a serious data breach which could result in: 

  • Heavy fines
  • Warnings and reprimands
  • Temporary or permanent bans on data processing
  • Rectification, restriction or erasure of data

Having legislation such as the UK GDPR means that there will be individuals accountable in the school, which makes them be on alert and do their best to always comply. Fortunately, because of that, many schools have put strict data protection policies in place and have briefed their staff on these policies as well.


Data processors & data controllers: Their role in schools

Obtaining personal data under the UK GDPR is divided into two roles, and both of these have very different responsibilities.

In most data collecting and processing activities, the school is the data controller. This means they determine whose information to collect, what types of data are needed and why it is necessary. Data controllers must also make sure of: 

  • Whether the information will be shared with a third party and, if so, what that third party is.
  • When and where a student's rights apply and how students can exercise those rights.
  • How long the data will be kept in the schools possession and whether that is the correct amount of time.
  • And whether to make any changes to the data on a routine basis, and if so, what data the changes will be made on. 

Data processors, by contrast, are the people or organisations handling personal data on behalf of the controller. They are responsible for:

Personal data handling on behalf of the data controller is done by the data processor. They are responsible for activities such as:

  • Handling the logistics of data processing activities.
  • Making sure that all personal data of students is stored safely.
  • Putting into place necessary controls for personal data transfers.
  • Erasing personal/special category data when it is no longer needed.

The data processor, in this case, may be a third-party data protection officer (DPO) that the school has hired as an individual/team or a data privacy company such as DataGuard.

Both data controllers and processors can face severe consequences in the event of a school data breach as both these parties are equally accountable for complying with UK GDPR.

Therefore, when schools hire a third-party data processor, it is important that they form legal contracts that lay out how the data processor will meet their requirements. This will allow both the school and the third party to come to a mutual understanding of what is clearly expected of them.


What is the age students must be consulted over their data processing?

The UK GDPR states that schools cannot legally obtain consent from minors. If the student is a minor, the school must take it upon themselves to obtain legal consent from a parent or guardian of the minor. The school must also make efforts to verify that the said parent or guardian of the minor does, in fact, hold parental responsibility for that minor.

In the UK, a minor is considered as a person below the age of 13. Therefore if the student is 13 years or older, the school must require the student's consent. However, asking for consent from students below the age of 18 must be asked in writing in a clear and understandable manner.


What steps to take in case of a data breach in your school

According to the UK GDPR, if a school learns that a data breach has occurred, the first thing that the school must do is to understand the severity of the breach.

If the breach poses a risk to the rights of any individual, whereas it may affect any individual financially, economically or socially, it must be reported to the Information Commissioner's Office (ICO), and the situation must be investigated immediately.

But how do you determine if any of the above has occurred? Here are a few pointers to keep in mind: 

  • Financial loss
    This applies to data such as staff and student banking information or staff payroll information that has been breached.
  • Social damage
    This applies when special category data such as staff and students special needs information, students behaviour information, students child protection information, staff pay scale and payroll information and students academic information.
  • Identity theft or fraud
    This applies when data such as names, dates of birth, home addresses and completed student progress sheets are breached.
  • Reputational damage
    This applies when data such as staff or pupil performance management records, as well as child protection records are breached.

Since after a data breach, the ICO must be notified immediately, let us take a look at how schools can make the process more quick and efficient and be ready to act accordingly if a breach does occur.


How can schools work with the ICO?

If the school comes to an understanding that the breach meets notification requirements, the school will have 72 hours from the time the breach was discovered to report it to the ICO. Schools must provide a detailed document about the breach, including the following points:

  • How big the damage was.
  • When, how, and who first discovered the breach.
  • What time the breach happened.
  • What kind of data protection training the staff or third-party has received.
  • Whose data has been breached and is at risk.
  • How the school is responding to the breach. 

The ICO will not expect you to provide a long and comprehensively detailed analysis due to the fact that you only have 72 hours after the breach to notify them. However, you must provide as much information as you can about the damage that occurred.

Once you have notified the ICO, they will confirm the schools breach and the breach will be actively looked into along with other active breaches. The school will be kept in the loop to understand if the investigators are happy with the school's actions.


What is the Data Protection Officer's role?

The main responsibility of a DPO is to oversee the personal data of an organisation's employees, customers, providers, and, in this case, students processed in accordance with the applicable data protection regulations.

The responsibilities of a DPO were recently published in the official UK GDPR article 39. They are as follows:

  • Mediating interaction between an organisation and the appropriate regulatory agencies.
  • All staff should be educated on the UK GDPR's requirements.
  • Keeping track of any data processing processes that take place across the firm.
  • Communicating to students in order to inform them on how the organisation stores, secures and uses their personal information.
  • All data protection procedures are being communicated to employees, parents, and students.
  • Responding to requests for copies of personal data or, when required, the erasure of data. 

Data Protection Officers help schools to:

  • Learn everything there is to know about personal data kept by schools, how it is stored, and how it might be used.
  • Complete adoption of a strong data security policy.
  • UK GDPR and data protection training for all employees.
  • Work with relevant authorities to make sure the organisation complies fully with UK GDPR

A thorough and efficient DPO, whether it is an internal or external one, must make sure that UK GDPR compliance is always met when obtaining, storing and changing student's and staff's personal data.

A DPO’s role is ever-changing with technological advances in data protection. Therefore, it must be understood that the ideal DPO must be tech-savvy, law-oriented, and willing to further educate themselves on the topic of data privacy and protection.


Is your school UK GDPR compliant?

We hope that this guide has provided you with a better understanding of the importance of data protection in schools, the impact of UK GDPR on your school, and how to enhance and execute your school's data protection policy and UK GDPR compliance.

Take action now to become UK GDPR compliant and protect yourself against data breaches. Schedule a call with one of our GDPR experts today to ensure GDPR compliance for your school.

GDPR for small businesses 212x234 UK GDPR for small businesses 800x600 MOBILE UK

GDPR for small businesses

  • Details on the UK GDPR and if it applies to your business
  • Data Protection Fees
  • The need for a Data Protection Officer
  • Best practices in employee training
  • How you can integrate GDPR into your business practices
Download your guide

About the author

DataGuard Privacy Experts DataGuard Privacy Experts
DataGuard Privacy Experts

Dive into the world of data protection, compliance, ethics, and data security with hands-on advice and actionable opinions from our certified Data Protection Officers and Privacy Consultants from Germany, the UK, and Austria. Coming from a wide range of backgrounds like business, legal, tech, or marketing, our specialists share the latest news and solutions to current challenges, as well as their takes on recent judgements and legal decisions with you. Their aim? Enable you to make the right decisions and keep your business safe, build trust, and grow revenue while remaining compliant with current privacy laws. What makes our specialists qualified? These are some of the certifications of our privacy experts: Certified Information Privacy Professional/Europe (IAPP), Certified Information Privacy Manager (IAPP) Information Security, Certified Information Privacy Technologist (IAPP), Certified Practitioner in Data Protection (BCS), Certified Data Protection Officer (TÜV), Fellow of Information Privacy (IAPP), Certified EU General Data Protection Regulation Practitioner (IBITGQ), Data Protection Officer & Europrivacy Auditor, Practitionier Certificate in Data Protection, PC.dp. (GDPR)

Explore more articles

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies

100% success in ISO 27001 audits to date



TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk