The General Data Protection Regulation (GDPR)

Data Protection law changed in May 2018, to organisations which collect and hold your data.

The General Data Protection Regulation (GDPR) is a piece of EU-wide legislation which will determine how people’s personal data (information that can identify a living individual) is processed and kept safe, and the legal rights individuals have in relation to their own data. Although the UK is no longer a part of the EU the principles remain.

Main principles

The GDPR sets out the key principles that all personal data must be processed in line with.

Data must be:

  • processed lawfully, fairly and transparently;
  • collected for specific, explicit and legitimate purposes; limited to what is necessary for the purposes for which it is processed;
  • accurate and kept up to date; held securely;
  • only retained for as long as is necessary for the reasons it was collected

There are also stronger rights for individuals regarding their own data.

The individual’s rights include:

  • to be informed about how their data is used;
  • to their data;
  • to rectify incorrect information;
  • to have their data erased;
  • to restrict how their data is used;
  • to another;
  • to their data being used at all

New requirements

The GDPR is similar to the Data Protection Act (DPA) 1998 (which schools already comply with), but strengthens many of the DPA’s principles. Schools already have strict data protection policies and data is kept secure and used appropriately. Much will stay the same, but with GDPR it will bring even better security and greater transparency. The main changes are:

Schools must appoint a Data Protection Officer, who will advise on compliance with the GDPR and other relevant data protection law.

  • Privacy notices must be in clear and plain language and include some extra information – the school’s ‘legal basis’ for processing, the individual’s rights in relation to their own data.
  • Schools will only have a month to comply with subject access requests, and in most cases can’t charge.
  • Where the school needs an individual’s consent to process data, this consent must be freely given, specific, informed and unambiguous.
  • There are new, special protections for children’s data.
  • The Information Commissioner’s Office must be notified within 72 hours of a data breach.
  • Organisations will have to demonstrate how they comply with the new law.
  • Schools will need tor pupils.

Data Protection Officer
The Data Protection Officer is responsible for overseeing data protection within the school
so if you do have any questions in this regard, please do contact them on the information
below: –
Data Protection Officer: Judicium Consulting Limited
Address: 72 Cannon Street, London, EC4N 6AE
Telephone: 0203 326 9174
Lead Contact: Craig Stilwell

Step by Step School Privacy Notice