The 9ine Blog

9ine helps thousands of school leaders and IT teams protect their stakeholders by publishing critical changes, updates and best practice blogs. 

Subscribe to 9ine's monthly newsletter, 9News to receive monthly blogs delivered right in to your inbox.



GDPR: A summary for schools

The GDPR countdown is on. And, if you’re feeling confused by the endless technicalities, numerous clauses and threats of hefty fines, we’re here to cut through the noise with some plain talking.

To conclude our current series of GDPR articles for schools, we’ve set out to summarise the central issues, giving you a good general overview.

GDPR in a nutshell

First up, let’s define GDPR – General Data Protection Regulation. Essentially, it’s an EU regulation that’s designed to strengthen data protection for everyone in the public, private and third sector, giving back control to individuals.

GDPR covers data stored on servers, databases, websites and even on paper. And it’s being introduced because of the huge advances in technology, which have had an incredible impact on the way data is used and stored.

In practical terms, it means doing everything reasonably possible to protect sensitive and personal data. It relates to governance, structure, security measures, cyber security breach procedures, risk management … essentially anything that involves data.

GDPR comes into effect on 25 May 2018, so there’s not long left to prepare. And Brexit – whenever it happens – won’t affect its implementation.

So, what do you need to do to ensure your school is compliant?

Steps to compliance

GDPR is a challenge for organisations in every sector. But it’s particularly tough for schools, as you have limited resources yet handle a high volume of sensitive data relating to both students and staff.

Once GDPR comes into force, you’ll need to know exactly what data you hold, where it is, who’s able to access it and how long it’s stored for. The following steps will help ensure you’re able to prove compliance:

  1. Appoint a data protection officer (DPO) – more on that below and
  2. Have a documented risk methodology and risk log.
  3. Implement technical and organisational measures to demonstrate compliance in processing.
  4. Update your software and firmware – if you’re not sure where to start, our GDPR technical assessment will help you determine any risks.
  5. Complete data privacy impact assessments (DPIA) on your systems – and evaluating them for encryption and pseudonymisation.
  6. Meet the requirements of Cyber Essentials – our ICT technical, cyber and operational health check includes a Cyber Essentials assessment.

Appointing a data protection officer

You may already have a data protection officer (DPO). If so, you’ll have to carefully review their role to ensure there’s no conflict of interest. And if not, the likelihood is that you’ll need to appoint one. Remember though, due to the stringent GDPR regulations, the majority of your senior management team would be unable to fulfil the DPO role.

For advice on appointing the right DPO, it’s worth having a look at the Article 29 Working Party guidance from the current EU independent advisory body on data protection and privacy.

And, if you’re looking for more detailed advice on appointing a DPO, check out our recent article.

Practical links to help you out

While there isn’t much advice in the public domain geared specifically towards schools, the ICO is a good general starting point.

Try the self-assessment questionnaire to discover how ready you are. And show the video to your governing body.

How 9ine can make your life easier

GDPR poses a particular challenge for the education sector due to the overriding issue of limited resource. But the good news is that you don’t have to cope with it alone.

With the benefit of accredited and experienced support, you can identify and implement the correct change programme in a timely and cost-effective manner. 

Our certified GDPR practitioner team will give you comprehensive support and confidence on your journey to GDPR compliance. We’ve also put together a GDPR Readiness Tool Kit, available to all our clients. 

Schools working with 9ine on their GDPR readiness are now supported with the following benefits: 

  • Access to professionals who are experts in their field of GDPR readiness, data protection, cyber security, IT operations and change management.
  • Part of a wider programme of GDPR Readiness with over 30 other schools across the UK and internationally. This brings with it a wealth of insight and use cases that will be drawn upon for your readiness programme.
  • Led by an organisation who have practical, hands on, day-to-day expertise and experience of working in schools. This practitioner led approach enables our team to advise on familiar use cases and examples.
  • Coordination with real-time lessons learnt, advice and guidance from across the portfolio of 9ine’s schools through a dedicated 9ine consultant responsible for the programme governance of all our schools.
  • Peace of mind through a clear pathway to full compliance, along with the tools to support it
  • Clarity on the cost of achieving and maintaining compliance
  • Practical guidance on what constitutes compliance in schools, based on current experiences within the sector
  • Practical tools and templates that accomplish key auditing, management and monitoring processes mandated for compliance
  • Strategic and operational management of all projects leading to full compliance, including the governance, monitoring and rapid remedial action for tasks
  • Staff training and awareness of the requirements of data protection and compliance, including how it affects them in their roles
  • Guidance on setting up policies, procedures and processes that will ensure compliance is by design.

GDPR courses for schools

We’re also running two courses specifically for schools:

  • A 5-day GDPR Certified Practitioner Course
  • A 2-day GDPR Awareness and Impact On Schools Course

More information about the courses is available here.

GDPR Readiness Tool Kit

Our GDPR Readiness Tool has been created using the same framework and set of standards as published by the ICO in their getting ready for GDPR Assessment Questionnaire. 

Download our GDPR Readiness Tracker >