Legislation and Guidance

The UK introduced the Data Protection Act 2018, which includes all aspects of the
GDPR as well as cover derogations (areas where GDPR allows EU Member states to make
their own choices).

The Information Commissioner’s Office (ICO) is the UK supervisory authority for data
protection. The ICO has large amounts of guidance on its website and continues to produce
guidance.

Data Controller Status

A school is a data controller and solely responsible for ensuring that it complies with data
protection law including GDPR. This is true of all schools, including maintained schools, as
schools are considered ‘public bodies’ in their own right.

Compliance

GDPR is not about one policy or one IT system to achieve compliance. Culture,
accountability, transparency of actions, training, policies and respect for the rights of
individuals are all key areas of work.

The ICO has guidance on its website for organisations on GDPR.

The ICO also has a self-assessment tool that highlights the areas of work and allows
organisations to see where they stand with their current practices vs GDPR requirements.
We recommend schools undertake this assessment. 

Schools may wish to seek their own legal advice as well.

Training

The ICO website should be the starting point for schools wanting to learn more about GDPR.
Whilst there are many companies promoting GDPR specialties and training courses, schools
should look to companies who have been working in the data protection arena for some time
to ensure they are approaching a company with appropriate expertise.