GDPR: How education organisations should prepare for compliance

The General Data Protection Regulation (GDPR) is a new law relating to data protection, due to take effect on 25th May 2018. This may sound like the distant future; however, there are significant steps that need to be taken to ensure your teaching establishment is fully compliant.


Many question whether the need for compliance is still relevant, given the outcome of the referendum vote, however, as Brexit is unlikely to take effect before March 2019, all UK organisations, including educational institutions, will need to comply with GDPR as of 25th May 2018, or risk being in breach.  Even after Brexit takes effect, the UK will need to adopt its own legislation in place of GDPR, broadly similar in effect.  The Information Commissioner, who leads the regulatory body governing data protection compliance in the UK, has made it very clear that this will be the approach, so steps taken now to comply with GDPR will not be a wasted effort, but instead a way of future-proofing your compliance. On that basis, GDPR cannot be ignored.


As an education organisation, you will be processing various categories of data, mostly relating to students and staff, in order to carry out basic daily operations. For organisations such as yours, GDPR will require the designation of a Data Protection Officer (DPO). Whilst this role may already exist in some form, GDPR imposes much stricter qualification and experience requirements, meaning that simply ‘wearing this hat’ alongside their day job is unlikely to be sufficient. Recruiting or training a suitable individual should be an immediate concern, as in reality there are not enough sufficiently qualified specialists in the market to meet demand. Whilst educational organisations may be able to group together to hire a single DPO, the person appointed must be easily accessible to each organisation.


Within the sector, a large proportion of the processed data will be classified as sensitive, such as information relating to health records, classification of ethnicity or religious indicators. Your organisation should ask itself – Does it take adequate steps to ensure that it only collects information which is necessary for specific purposes? Does it only hold on to it for as long as it is deemed necessary? These are the concerns that must be addressed in advance of 25th May 2018. Data relating to children also raises the issue of whether suitable consent has been provided for its processing. In most cases, you will rely on the consent of parents or guardians. This consent needs to be clearly documented and the reasons for processing it need to be specific. Under GDPR, consent is going to become much harder to rely on and steps should be taken now to address this point.


Another factor for consideration is that individuals are becoming more aware of their legal rights in respect of data protection, with the scope of these rights increasing under GDPR. Subject access requests are increasingly common with individuals wanting to know what data is held on file about them and their children. Does your organisation understand the data it holds and where it is stored to be able to comply with such a request in a reduced deadline of 30 days?


Failure to tackle GDPR in time for it to take full effect could lead to significant consequences for any organisation. The Information Commissioner’s Office (ICO) will be able to impose fines based on a percentage of worldwide turnover or a fixed sum, whichever is higher. In some cases, this can be up to €20million Euros, a steep increase from the current maximum fine of £500,000.


Perhaps more importantly, any step taken by the ICO can and will be published. This not only puts the organisation under the scrutiny of the ICO going forward, but puts any breach or investigation in the public domain. Where trust and safety are the foundation stones of your organisation, this reputational risk could have consequences far more damaging than any monetary fine.

This article was written by Sarah Briscall, Commercial Solicitor at Shulmans LLP. For more information or to discuss your GDPR compliance plans, please visit or call 0113 831 3954.