Data Protection for Education

The GDPR was enacted into UK Law as the Data Protection Act 2018.  As for many organisations it imposes legal obligations for education and the ways they must manage and process personal data.

The legislation gives the Information Commissioner’s Office (ICO) powers to impose significant financial penalties, Ofsted now includes data protection compliance within their inspection criteria and there is a greater chance of reputational damage from bad publicity in education.

This page explains what the new legislation means for schools and the main areas that need to be considered. It is based on the DPO Centre’s experience from working with over 130 schools and colleges.

Alternatively click one of the options below to speak to us


Email Call


Like other organisations, all schools must:

Be transparent in the way they process personal data and accountable for doing so
Appoint a designated data protection officer if they are a state school or a private school processing personal data on a large scale
Understand the data they have, where it is stored and who has access to it
Implement robust processes and procedures to protect personal data
Allow pupils, staff members, governors, parents, guardians and suppliers to:

  • have access to their personal data
  • ensure it is correct and modify it as necessary
  • have it deleted (unless needed for legitimate reasons)

Be able to detect, manage, report and respond to data breaches including, if necessary, liaising with the ICO


Outsourced Data Protection Officers

Flexible and individually tailored data protection support, delivered on-site or remotely on a ‘fractional’ basis by our large, highly experienced DPO team, as part of our continuous support framework. The DPO Centre has gained its extensive experience from delivering effective, value driven and award winning fractional, overflow and interim services to over 500 organisations globally.

Read more

EU & UK Representation Services

For organisations offering goods or services to EU/UK residents and are therefore required to appoint a local Representative under Article 27 of the GDPR. Our service provides access to our team of experienced data protection professionals who provide expertise and advice, liaise with supervisory authorities, assist with data subject rights and maintain your Records of Processing Activity (RoPA).

Read more


DSAR Response Service

Data Subject Access Requests (DSARs) can be complex and time-consuming to complete, especially those received from long-standing staff members. The DPO Centre provides an outsourced or overflow DSAR response service to commercial and public sector organisations that is delivered on a pay-as-you-go or retainer basis. We can take responsibility for the full response process, or only specific aspects, such as redaction.

Read more


Data Protection Consultancy

Our experienced team of data protection consultants deliver tailored advice and guidance and a wide range of services that help your organisation to better understand the data you process and your obligations under data protection law.
Consultancy services are also used for specific projects such as audits and reviews, data mapping and RoPA building, DPIAs and vendor risk management and transfer assessments.

Read more


Data Protection Training

We deliver data protection training and awareness courses for your various levels of staff; these courses are tailored to your organisation’s policies, procedures, and specific needs. This means that your staff will not only be trained in the requirements of data protection law, but they will also be trained on the specific requirements and expectations specified in your organisation’s policies and procedures. Therefore supporting your organisation in demonstrating compliance with data protection law.

Read more

Data Protection Advice Line

Our Advice Line is staffed by our large team of experienced Data Protection Officers (DPOs). The service is an integral element of our outsourced DPO and EU/UK Representation Services., We also offer our Advice Line as a standalone service to act as a helpline for organisations seeking access to subject matter experts and a wider pool of knowledge and expertise than is available from in-house resources

Read more


Schools must protect personal data in a wide range of areas. These include:


Educational Software

  • SIMS, ScholarPack, Arbor etc.
  • 2Simple, Tapestry early years systems


Communications and consent management

  • Photography and displaying pictures
  • Social media, posting images
  • Parent communications, satchel post, Teachers2Parents, ParentMail etc.



  • Privacy, retention and data
    protection policies
  • Staff handbooks



  • Network security
  • Email systems
  • Staff payroll, pension and other HR records
  • Paper records
  • Visitors’ book and access systems
  • Managing CCTV/Video


Managing Sensitive Information

  • Special educational needs
  • Medication and medical data
  • Safeguarding and family issues
  • DBS Checks


Teaching and getting the job done

  • Children’s workbooks
  • Wall displays and name badges
  • Pupil premium data
  • eports and taking data home
  • School printing facilities


Sharing data with others

  • School trips, peripatetic learning
  • Supply teachers
  • Feeder and transitional schools
  • References for employers and other institutions

Enquire Today

Fill in your details below and we’ll get back to you as soon as possible

Alternatively click one of the options below to speak to us


Email Call



Richard Green

Sheringham Woodfields School

“The DPO Centre has made what initially appeared to be a complex task straightforward, and we are very pleased with how thoroughly the entire process was conducted.”

Sheringham Woodfields small logo 2

Jules Bridges

West Suffolk College

“Ultimately, we feel ahead of the game and a leader in GDPR compared to our competitors in the sector. It’s a cultural change that will take time to embed, but already I’m seeing changes in attitudes towards safer and improved data security.”