GDPR for Schools – Advice & Resources

GDPR for Schools

Are you well on the way to GDPR compliance, or waiting for further guidance on how best to proceed? Have you factored your school website into the scope of your General Data Protection Regulation (GDPR) compliance plan? More generally, are you compliant with the requirements around GDPR for schools?

We are hard at work on our own GDPR compliance - both as a data controller, and a data processor. But why does that matter to you?

The main focus of the GDPR is to improve the rights of data subjects and protect their privacy. The GDPR is designed to improve and enhance the existing Data Protection Act (DPA). And to bring parity across the different EU countries. (Current data protection implementation is very different across EU member states. Despite the origin from a single EU data protection directive.)

Compared to the DPA the GDPR shifts the onus to demonstrate compliance to data controllers. Under the DPA the burden was placed on the data subject to demonstrate a lack of compliance. Demonstrating compliance will involve lots of documentation, including a good understanding of all the personal data held by your organisation. There's also a requirement for controllers to only use processors who meet the requirements of the GDPR. However it's worth noting that the GDPR is not prescriptive in it's regulation. It's very much down to each organisation to make reasonable and appropriate decisions and evidence the basis for the data protection decisions they take.

School Website Provider as a Data Processor - GDPR for Schools Compliance

What personal data does your school website process? It might not be very much data, maybe just contact details of visitors who complete your contact form. Websites include a variety of different forms; bookings, contact, job vacancy applications or student admissions to name a few. Your data mapping should include all these different data processing activities.

As a result your school website provider is very likely to be acting as a data processor for your school. (Depending on the ongoing service and support you receive, your processor might not be the company who designed your website. For example if they just provide you with a website design, and you have to look after website hosting. Then the role of data processor will probably pass onto your hosting company. Investigate this if you are unsure.)

Take Action:

  • Seek assurance to be confident that your provider is GDPR compliant, otherwise your school won't be.
  • Publish details of your data processors in your privacy notice.
  • Make sure your updated privacy notice is available on your website too.

Using Your School Website as a Data Controller - GDPR for Schools Compliance

Consider all of the personal data stored on your school website to secure your school GDPR compliance. You can undertake a data mapping exercise to determine all the personal data you collect. This will help determine where that personal data is stored and processed, your purposes for processing and the legal basis you will be processing it under. Details of anyone your data will be shared with should also be included. A collated record of all the data you process (a data map) will be very helpful as you evidence and document the steps taken to achieve compliance with the GDPR.


Don't forget to include your photographs within your data mapping, and the principles within the GDPR that they need to meet. For example your data retention policy for photographs.
It might be a good idea to include specific cases for photographic use within your data retention policy if the retention period is going to be different.

For example the standard retention policy for your photographs might be 5 years. But a longer retention period for photographs used for a specific purpose may be appropriate. Let's think about photographs used in promotional materials and website news articles.

Promotional Materials
Promotional materials might be created less regularly than the retention policy typically lasts for. Rather than force a re-design for the materials, and a re-print. An extended retention period might be appropriate. For example if you have branded folders,  prospectus cover folders or other long term printed branding materials that feature students in photographs an alternative retention period might be useful.

Website News Articles
News articles on your school website are likely to be one of the most frequently created content pieces on your website. Photos used in news articles can help give context and enhance the written content they are alongside. But with news articles going back for 6+ years still having the photos in place is a nice resource, for alumni as well as other visitors interested in the historical goings on of your school. An extended retention period for photographs used in this way will make your website a much more interesting resource, and a potential source of nostalgic looking back for your alumni.

You will need to justify this in line with the principles of GDPR though. Also don't forget about the decisions outlined in your retention policy. Put steps in place to delete photographs after their retention period has elapsed.

Policies and Procedures

Your website will need to include some updated policies and procedures, some of them may even be new to your school website.

  • Your Privacy Notice
    The aim of the privacy notice is to increase transparency and reflect how you respect the rights of your data subjects. (See ICO guidance for more detail)
    In England the DfE provide a template privacy notice as a starting point for schools - but this will need to be tailored to cover your individual school's data collection and processing activities.
  • Your SAR
    A Subject Access Request. The process for this doesn't need to be online, but you must make it clear how a data subject can request the personal data you hold about them. Taking this request online might make the procedure easier for your organisation to process. (Rules have changed in GDPR for access requests. There's a shorter time frame, 1 month and should be provided at no cost, rather than a small fee.)

School Website Features in relation to GDPR for Schools

All Schudio clients have access to full control over their contact forms to ensure ongoing compliance with GDPR for schools. This critical feature makes it easy to meet the requirements around how you will be processing data.

You have control over your form privacy notice, form privacy text and your privacy policy page. It's important to ensure that all your technology partners are compliant with the GDPR. This is one example of how seriously you should expect all your partners to take the legislation.

GDPR privacy notice feature

GDPR for Schools Resources and Additional Reading

The ICO (the supervisory authority for the UK) will be responsible for enforcing the GDPR. They have previously been responsible for enforcing the previous data protection legislation. But enforcement is not all they are responsible for. They provide lots of really helpful resources and guides to help get ready for the GDPR.

  • The ICO Guide to the GDPR
    This helpful section on the ICO website includes a link to the 'GDPR: 12 steps to take now' document)
  • The ICO Education Hub
    An education specific section of the ICO website for education establishments.
  • The GDPR Regulations
    The full GDPR Regulation text. But laid out in a really nice and easy way with helpful links to relevant sections and recitals within the regulation.

We'd love to hear from you if you'd like any more information about preparing for GDPR or want to talk to us about your school website needs. If you're looking for additional resources or school website requirements advice look around the rest of our website. It's packed with useful information. You might also find it helpful to use our School Website Compliance Software - a tool to help you audit your website regularly.

Update August 2019:
The department for education have released some suggested privacy notice templates for use by schools, and local authorities. These documents could be a helpful basis for creating the privacy notice for your school.
Click here to view the gov.uk page with the resources linked

Don't forget to include any website processing within your privacy notice too!

Join Our Newsletter

Simply add your email and you'll get expert advice weekly, direct to your inbox.

Previous Post Old Entry

Share this article:


Next Post New Entry
WordPress Lightbox Plugin