Obligations for Schools


Articles 24-32 of the GDPR

Data Protection policies and training

You will need effective Data Protection policies, procedures and regular employee training.

Written contracts with suppliers

Schools are required to assess the suitability of all suppliers and contractors who process personal data on their behalf (i.e. data processors) and have written contracts in place, stipulating the clauses set out in Article 28.

Record of processing activities

Schools need to identify and record what categories of personal data they are processing; why; how long it is kept for; who it is shared with and a brief description of the security measures they have in place to keep it safe. This document must be provided to the Information Commissioner's Office or the public upon request.

Technical and organisational measures

Proportionate and adequate technical security measures, policies and procedures  must be implemented to ensure data protection compliance is built into everyday practices.

Data protection impact assessments

Data protection impact assessments must be carried out prior to any processing of personal data, which could result in high risks to the rights and freedoms of data subjects.