The 9ine Blog

9ine helps thousands of school leaders and IT teams protect their stakeholders by publishing critical changes, updates and best practice blogs. 

Subscribe to 9ine's monthly newsletter, 9News to receive monthly blogs delivered right in to your inbox.


GDPR in schools

GDPR in Education: In depth guidance & support for compliance

In preparation for the GDPR, organisations need to take certain steps to demonstrate they are taking the regulation seriously. In supporting education organisations, we have taken the guidance from the UK Supervisory Authority* and adapted it for schools. 

For more information on how we can support your organisation see our DPO Essentials Service here.

For each area we have provided some further useful information on how we can assist and reference material to support you in your compliance programme.


  • The organisation has briefed senior leadership and the governing body on the changes, implications and compliance obligations. The organisation has undertaken a risk assessment of its processing activities to comply with the obligations of the GDPR. Mitigating actions have been documented and these are proportionate to the resources of the school.
  • The organisation has created a working group with representation from all governance, functional and management areas.
  • The organisation is identifying the level of training that is required for all members of staff, as well as individuals with responsibilities in various governance, functional and management areas. This includes training on the GDPR regulation as well as on the risks to the security of processing, such as cyber security.
  • The organisation has put in place a project management structure to evidence and manage the completion of compliance requirements. The GDPR mandates good governance, therefore it is critical organisations document the path to compliance and the reasoning behind all decisions and actions.
  • The organisation is setting aside and providing the resources to determine the impact of the obligations, including highlighting areas of highest risk and enacting mitigating activities.
Worth noting:
  • 9ine’s GDPR Readiness Toolkit, free of charge for education organisations, provides a framework you can use to guide your school through the compliance programme.
  • Our one day GDPR Readiness Training will take you, your board, your management team and your senior leaders through the obligations of the GDPR and the start of the data mapping process.



  • The organisation is demonstrating compliance with Article 5 (2), in addition to putting in place comprehensive but proportionate governance measures to manage the compliance pathway (such as use of 9ine’s GDPR Readiness Toolkit).
  • The organisation is implementing appropriate technical and organisational measures that ensure and demonstrate that the school complies with Article 24 by keeping a record of all compliance activities.
  • The organisation is completing risk assessments to evidence the steps taken to minimise the risk of breaches and to uphold the protection of personal data.
Worth noting:
  • 9ine’s Toolkit sets out how you should undertake data mapping, it also provides a framework for the assessment of analogue processing activities (paper) and IT systems
  • Our GDPR Readiness and Compliance Review service supports you in understanding the extent of your compliance with the regulation and provides independent advice and guidance on what you should be doing.


Information the Organisation Holds (Data Mapping)

  • The organisation is documenting the data it has, where it came from and who it is shared with.
  • The organisation is assessing the information-flows between locations, systems, and entities.
Worth noting:
  • 9ine’s Education Data Processing Database makes the mapping and evaluation of processing activity quicker and more effective. Our GDPR Readiness Review and outsourced Data Protection Officer services provide you with the expertise for efficiencies, compliance and processes to manage individuals exercising their rights.


Data Protection by Design

  • The organisation needs to demonstrate technical and organisational measures to ensure it has embedded the obligations of data protection by design and default. There needs to be a comprehensive data protection impact assessment (DPIA) policy, process and procedure to identify processing activities of a high risk. All IT systems should be assessed against the NCSC 10-Steps to Cyber Security. All IT projects should following a recognised methodology with the right level of quality assurance and appropriate auditing, given the complexities of the project and the risk to data being processed by those systems.
Worth noting:
  • Article 32 - Security of Processing, places significant obligations on the management, security and development of IT systems and services
  • For companies and organisations that are responsible for critical digital infrastructure (ISPs, Hospitals, Energy), there are additional requirements as a consequence of the Network and Information Security Directive. This sets out the minimum technical and operational requirements for specific organisations for IT systems and cyber security. Non-compliance can lead to a fine of €20 Million or 4% of global turnover, whichever is higher.
  • We anticipate the minimum level for compliance under the GDPR being the 10-steps to Cyber Security and Cyber Essentials. We also anticipate that any breach pertaining to an IT system will require the organisation to demonstrate to the Supervisory Authority documentation detailing the approach to design and management of that IT system.
  • From providing your IT team with training on IT Project and Risk Management, through to managing your IT Projects, our team of expert consultants can help support you whatever the size of your projects.
  • 9ine’s Technical Assessment v. NCSC 10-Steps to Cyber Security provides you with the foundation from which to evidence compliance with Article 32.
  • Our cyber security team regularly test networks and systems for threats and vulnerabilities. It is possible to access your network from the web, or from your Wifi. Our cyber security services can help mitigate those risks.


Data Protection Officers

  • The organisation needs to designate a Data Protection Officer (DPO)
  • The organisation needs to identify the support, training and authority requirements of the DPO and ensure this is provided.
  • The organisation needs to support the DPO with ongoing governance, assurance and accreditation structures.
Worth noting:
  • The organisation needs to evidence how the DPO will provide objective advice and guidance in relation to compliance with the regulation. Where there is a question over objectivity, the organisation should document possible conflicts of interest, detailing mitigating actions to minimise those identifed. It is our suggestion that in each organisation there is a DPO lead, supported by a team with IT and HR skills. Together the team make up the role of the DPO, and given there is more than one person involved in assessing compliance, the decisions and recommendations are likely to be more objective than subjective. Many organisations are having 9ine provide assurance on the DPO role, enabling them to evidence objectivity through use of an independent party, whilst reducing conflicts of interest.
  • 9ine’s Data Protection services provide your organisation with assurance and support on undertaking the obligations of the DPO role under the GDPR.
  • We have developed policies, processes and procedures that your organisation can use to make the undertakings of the DPO role efficient and effective.
  • From ad hoc advice and guidance through to management of the completion of subject access requests, our DPO service can scale for the needs of all organisations.


Lawful Basis for Processing Personal Information

  • The organisation needs to explain the lawful basis for processing within its privacy notice.
  • The organisation needs to explain how data is shared and with who.
  • The organisation needs to understand where data is held and how it will be restricted or deleted  should the data subject invoke that right. 
Worth noting:
  • The are six different types of ‘lawful bases for processing’. State schools will want to rely, where possible, on ‘legal obligation’ to which the controller is subject. Independent and International schools will want to rely, where possible, on ‘necessary for the performance of a contract’ or ‘legitimate interests’. Importantly, each processing activity needs to have a corresponding lawful basis. In some cases (photographs for publication) this may mean having to gain consent from the individual.
  • Only by mapping all the data processing activities can an organisation determine who data is shared with and where it goes. Furthermore, without completing the data mapping process the school cannot realistically create a fair and transparent privacy notice.
  • For each organisation you share data with there needs to be a Data Controller to Processor agreement or similar contract. This includes data being shared between schools. Your organisation may be asked by another organisation to sign this agreement to share data. The terms within these contracts require you to expressly detail that you are compliant with the GDPR. Furthermore, if you are the processor, the controller has the right to audit your level of compliance.
  • Our teams are helping schools to complete and assure the data mapping process and consequential Data Protection Impact Assessments (for high risk processing activities) and Controller to Processor agreements. Once completed, we are also advising and in some cases writing, updated Tier 1, Tier 2 and Tier 2 Privacy Notices.



  • The organisation needs to review all the processing activities internally and with third parties to determine if consent is required. Whilst it can be argued consent isn't necessary to deliver a legal obligation (Article 6 1C - processing is necessary for compliance with a legal obligation to which the controller is subject), the organisation will still need to inform the data subject of the types of processing that is to occur.
  • Some aspects of current processing may not fall within the classification of consent through a legal obligation (education purposes). These need to be identified and separate consent should be sought if necessary.
  • Should consent be withdrawn, you will need appropriate policies, processes and procedures in place to manage the restrictive processing of data.


Worth noting:

  • For non-state funded organisations (Independent, International, for-profit schools, colleges and universities), consent is required for processing special category (health-related) data. You should be considering how this will be achieved through the admissions or enrolment process.
  • The ePrivacy Directive will also have an influence on ‘consent’ for marketing  activities such as Alumni and Development
  • We have a range of tools to help organisations in understanding whether consent is required, and in the case that it is, where to capture and record it.



  • Schools needs to use age appropriate language when articulating privacy information to children.
  • Schools needs to understand and communicate the privacy information of third party data processors to their students.
Worth noting:
  • The UK Supervisory Authority has published a consultation paper ‘Children and the GDPR’. This document explains how organisations should be consulting with children in relation to their rights.
  • The document also explains the risks posed by Information Society Services (ISS) and the impact these can have on children's behaviour. Specifically it outlines how ISSs such as Apps, Games, browser based Apps may be profiling behaviour of children, then based on the use of the ISS, seek to influence that child that may lead to detriment of their wellbeing. Given this, education organisations need to have assessed whether any ISSs provided by their school (Tablet Apps, games based learning) is profiling and whether the freedom of children to learn, develop and explore overrides any detrimental impact arising from the profiling. A must read for any educator or parent.


Communicating privacy information

  • The organisation needs to update privacy statements, such as those on the website, for staff contracts and for students. The GDPR mandates these should be concise, transparent, intelligible and easily accessible.


Worth noting:
  • In most cases we are suggesting a tiered approach to privacy notices:
    • Tier 1 - Is provided at the point of data collection.
    • Tier 2 - Is accessed from a hyperlink associated with Tier 1. It explains the rights of the individual, contact details of the DPO and contact information for the supervisory authority. Tier 3 - Is accessed from a hyperlink from Tier 2. It provides a complete overview of the organisation’s processing activity.
  • In each case, the privacy notice needs to be understandable.
  • We have developed a range of examples for use in each tier and these are available for those organisations working with 9ine on the GDPR.


Individuals’ rights

  • The GDPR includes for the following rights: the right to be informed; the right to access; the right to rectification; the right to erasure; the right to restricted processing; the right to data portability; the right to object; the right to automated decision making and profiling. The organisation needs to evidence how each of these rights can be exercised.


Worth noting:

  • Each organisation will need a policy, process and procedure to manage the requests from individuals when exercising their rights.
  • With most of the rights, organisations need to know where personal data is stored, who has access to it and who it is shared with. This means that to evidence compliance, organisations need to have completed a data mapping process to support individuals invoking their rights.
  • Our data protection service provides you with the expertise, advice and guidance to support you when an individual exercises their rights. For more information, contact us at the end of the article.


Subject access

  • You need to implement and embed a subject access request (SAR) policy, process and procedure.


Worth noting:
  • When a SAR is submitted there is only a 30 day window in which to gather all the data, review, redact and issue.
  • It is unlikely that school holidays will be accepted as a legitimate reason should your school not be able to respond within 30 days during the summer or other breaks.
  • Our data protection service provides you with expert advice on responding to and redacting information for subject access requests. For more information, contact us at the end of the article.


Data breaches

  • Your organisation needs to review all policies, processes and procedures to ensure personal data breaches are detected, reported and investigated effectively.
  • Should a breach occur, the you need a mechanism to assess the need to report the breach and if so, report within 72 hours.
  • Have a documented incident management plan so in the event of a breach, the breach can be managed.


Worth noting:
  • When a data breach occurs, you will need to identify the cause and impact as soon as possible.
  • A data breach could be caused as a result of IT systems failure (Article 32 - Security of Processing), a cyber security breach or the loss of documents / portable media (USBs).
  • Our Data Protection, Cyber Security and Technical IT Consultants can support your organisation when a breach occurs. When a national breach occurs (E.g Wannacry, Petya) priority support will be offered to our clients on an annual service plan. More information on our data protection, cyber security, child protection / safeguarding and technical IT service plans can be requested at the bottom of this page.


If you haven’t already, download our GDPR Readiness Toolkit

GDPR Readiness Toolkit: Download from you will then have access to the PDF version. A member of the 9ine team will contact you, sending you an NDA. On completion of the NDA the full toolkit will be available. The latest version includes example processing activities within the data mapping section and a template for you to complete a Data Systems audit of your IT systems


Upcoming Webinars: 

Webinars on the following topics will be available to join in the coming weeks. Keep an eye out for registration notifications:

  • An introduction to the GDPR in schools
  • Data Mapping Masterclass
  • Cybersecurity - Introduction to penetration testing
  • Risk Management and the GDPR
  • Technical Assessment of your IT Systems v. 10-Steps to Cybersecurity
  • Writing your privacy notice
  • Children and the GDPR
  • Safeguarding / Child Protection in action (Keeping Children Safe in Education 2016)


Want to know more? Please get in touch >>



Useful Resources

Article 29 WP Guidance on DPIAs

Article 29 WP Guidance on DPOs

10-Steps to Cybersecurity

Children and the GDPR Consultation

The Network and Information Security Directive

*The original check-list has been taken and edited from the ICO Website:


© Nine (9ine) Consulting Ltd. All rights reserved 2018. This article must not be quoted from, referred to, used by or distributed to any other party without the prior consent of Nine (9ine) Consulting Ltd who accept no liability of whatsoever nature for any use by any other party. In using or referring to this document, Nine (9ine) Consulting Ltd shall not be liable, whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation or otherwise for: loss of profits; or loss of business or; depletion of goodwill or similar losses; or loss of anticipated savings; or loss of goods; or loss of contract; or loss of use; or loss or corruption of data or information; or any special, indirect, consequential or pure economic loss, costs, damages, charges or expenses.")