December 2017


  • All the right moves
    The future is never certain in the world of education says Geoff Barton. However, one thing leaders can rely on is that ASCL will continue to protect, defend and advise them. More
  • Preparation is key
    New data protection laws will apply from next year and schools and colleges must prepare for them now says Daljit Kaur, Associate at Browne Jacobson. More
  • Head first
    In a bid to equip young people with the tools to navigate their mental health and build their self-esteem, mental health organisation The Self-Esteem Team shares its top tips for staff and pupils. More
  • Time to speak out
    LGBT+ students need more role models among their teachers if they are to come out with confidence, says Daniel Gray, one of the organisers of new support and advocacy group LGBTed. More
  • Leading character education
    As discussion grows around character education, researchers David Sims and Matt Walker from the National Foundation for Educational Research (NFER) highlight key findings from a new research project into the ways that five pioneering schools are leading character education within their settings. More
  • The gift of knowledge
    In celebration of the 100th issue of ASCL's Leader magazine, we asked senior leaders to share one piece of advice they would give to their younger selves if they were starting their first leadership role today. Here's what they said... More
  • Unfair shares
    Sam Ellis, Susan Fielden and Julia Harnden test out the National Funding Formula (NFF) and find it wanting. More
Bookmark and Share

New data protection laws will apply from next year and schools and colleges must prepare for them now says Daljit Kaur, Associate at Browne Jacobson.

Preparation is key

Given the publicity over recent months about the General Data Protection Regulation (GDPR), schools and colleges should be aware that it cannot be ignored. The Regulation will apply from 25 May 2018 and the current Data Protection Act will be abolished.

In September, the government released its draft Data Protection Bill to update the current law and to enact some of the derogations available under GDPR. Regardless of the Data Protection Bill, GDPR will apply from next May.

What does this mean for schools and colleges?

Schools and colleges should take steps now to ensure compliance with the requirements of GDPR by May. While they already have responsibilities under the current Data Protection Act 1998, GDPR imposes new requirements (including the requirement to appoint a Data Protection Officer and notification of personal data breaches) and provides new rights to individuals. They will not be able to avoid the new legal requirements coming into effect. Before starting on any preparations, it’s important that school and college leaders understand what will change under GDPR.

What will change?

Many concepts and principles from the current Data Protection Act will remain the same, although be aware of new obligations under GDPR that enhance individuals rights and sanctions. Some of the changes include the following:

Enhanced Definitions

Personal Data now explicitly includes an identification number or location data. This means, for example that an Internet Protocol (IP) address or roll number will also amount to personal data.

Special Categories of Personal Data will replace ‘Sensitive Personal Data’ and extend coverage to include “the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person”. GDPR does not include the previous categories relating to commission or alleged commission of an offence or proceedings relating to the same. ‘Explicit’ consent will usually be required when processing data within the special categories of data (unless another category for processing such data has been satisfied).

Under the GDPR, there are six Data Protection Principles that require that data be:

  1. processed in a fair, lawful and transparent manner
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  3. adequate, relevant and limited to what is necessary
  4. accurate and where necessary kept up to date (inaccurate data should be erased or rectified without delay)
  5. kept in a form permitting identification for no longer than is necessary
  6. processed in a manner ensuring appropriate security of the personal data

As a data controller, schools and colleges will be responsible for, and must be able to demonstrate, compliance with these principles and be accountable for demonstrating such compliance.

How will you be able to demonstrate compliance and accountability?

Transparency and accountability is a major theme of GDPR. Accordingly, schools and colleges will need to be able to show how they comply. Some of the steps you can take to show this are set out as follows:

Step one: Information audits
Under GDPR, there will be a requirement to maintain a record of processing activities. Steps should therefore be taken now to understand and review what personal data you hold, and how and why you are processing it. The record will need to include, among other things, the purposes of processing; a description of the categories of data subjects and the categories of personal data; categories of recipients to whom the personal data will be disclosed; and, where possible, the time limits for erasure of the different categories of data.

Step two: Policies and procedures
The Information Commissioner is highly likely to request copies of your policies and procedures, if ever it were to investigate any complaints or data breach. Make sure these are in line with GDPR, and are understood and followed by staff and cover some of the new changes such as:

  • Subject Access Request procedure
  • The new Regulation will require amendments as to how Subject Access Requests are handled to include the requirement to comply with the request within one month and be free of charge.
  • New rights
  • You must ensure you have processes that ensure the right to rectification (inaccurate data corrected) and of the right to erasure (forgotten) in appropriate circumstances.

Step three: Privacy notices
As a data controller, GDPR requires that information relating to how you are processing an individual’s data must be concise, transparent, intelligible and easily accessible. It should be written clearly using plain language and also be free of charge. As organisations processing information relating to children, you will need to ensure that your Privacy Notices are written in a clear, plain way that a child will understand. You should therefore be taking steps to review your Privacy Notice.

Step four: Consent for processing of personal data relating to a child
Where you are offering any online services to children and young people, you may need to obtain consent from a parent or guardian to process the child’s/ young person’s data. While GDPR states that a child or young person under 16 years can’t give consent, the government has indicated in the Data Protection Bill that under the derogation, it will be lowering this age limit to 13 years. Parental/guardian consent will not be required to process data relating to preventative or counselling services offered directly to a child or young person.

Step five: Data Protection Officer (DPO)
Maintained schools and colleges, and academies, will require a DPO. (However, there is provision for a group of schools/colleges, for example, a multi-academy trust, to appoint a single DPO.) This officer can be an existing staff member (provided their other role does not result in a conflict of interest) and s/ he will report to the highest level of management in your organisation. The DPO will have responsibility for:

  • informing and advising the school/college and its employees about the requirements around data protection
  • monitoring compliance with GDPR and other legal data protection requirements, including the organisation’s policies relating to the same
  • raising awareness and training staff
  • related audits
  • being the contact point for and co-operating with the Information Commissioner’s Office (ICO)

Preparation is key

Throughout this article, I have summarised some of the important aspects of GDPR that will impact on schools and colleges. Your preparation for its implementation is key and should include a detailed review of your policies, procedures and documentation to ensure compliance with new requirements, appointment of a DPO and staff training.

Failure to comply could result in an investigation by the ICO and possible enforcement action that could include a fine or legal action.

GPDR Seminar

Browne Jacobson is ASCL’s premier partner for legal and HR advice. ASCL PD is hosting half-day seminars in London in January on GDPR for School Leaders: Act now to ensure compliance.Find out more and book your place online at

Daljit Kaur
Associate at the law firm Browne Jacobson