General Data Protection Regulation (GDPR)

What is the General Data Protection Regulation?

The General Data Protection Regulation (GDPR) is a new set of EU guidelines governing how organisations handle personal data. The new regulations have replaced the current Data Protection Act (DPA) and will be legally enforced from 25th May 2018. Schools handle large amounts of personal data, such as information on pupils and information on staff, governors, volunteers and job applicants. Schools also handle what the GDPR refers to as special category data, which is subject to tighter controls. This could be details on race, ethnic origin, biometric data or trade union membership.


Data is already governed by existing DPA regulations, which ensure personal data is handled lawfully. The new GDPR goes further and requires organisations to document how and why they process all personal data, and gives enhanced rights to the individual.


What are the key changes?

  • Demonstrate compliance: Schools need to document every system used to process personal data. They also need to map how this data is transferred to other systems or any third parties.
  • Appoint a Data Protection Officer: Schools must appoint a Data Protection Officer (DPO) to ensure that their school is fully compliant to the new regulations.
  • Processor agreements: Schools must evaluate all third-party contracts and ensure evidence of their GDPR compliance.
  • Reporting a data breach: If personal data has been put at risk, schools may be required to inform the Information Commissioners Office (ICO), and in some cases, the individual at risk.
  • Staff training: All school staff have to undertake GDPR training to ensure a culture of data compliance.


Compliance at Garton on the Wolds CE Primary School

To ensure compliance with the new GDPR, Garton on the Wolds Primary School:

  • maintains an information asset register as instructed by the local authority;
  • has named a Data Protection Officer (DPO);
  • has reviewed relationships with its third parties who handle personal data and obtained GDPR-compliant agreements from them;
  • has updated its Data Protection policy to be GDPR-compliant and in-line with local authority guidance;
  • has written new Data Protection Privacy Notices for Pupils, Children in Need and Looked After, and the School Workforce;
  • has had all its staff complete the local authority’s new Data Protection eLearning Course;
  • continues to buy in to the local authority’s Data Protection Service Level Agreement, which provides support, guidance and expertise in this area of the law;
  • will participate in any local authority checking of GDPR compliance;
  • has bought into Capita’s General Data Protection in Schools programme, as recommended by the local authority.


Our new Data Protection policy and Privacy Notices are available on this website under ‘Data Protection’ under ‘Information’. Our Privacy Notices list the kind of information we collect, why we collect the information and the lawful basis upon which we collect, process and share it, who we share the information with, and further guidance regarding access requests.


Useful links:


European Union GDPR


Information Commissioner's Officer



Useful posters:

File icon: pdf GDPR Schools Poster [pdf 657KB] Click to download
File icon: pdf GDPR vs DPA Poster [pdf 167KB] Click to download

Information Commissioner's Office Guide to the GDPR:

File icon: pdf ICO Guide to the GDPR [pdf 1MB] Click to download