BT Business Direct - PC Hardware, Components, Software, Digital Cameras, MP3 players
BT logo
Buy Products


You may think that GDPR doesn’t apply to education because data breaches and hacking in schools is considered less common. This isn't true. Schools tend to have filing cupboards full of sensitive student and staff data, exam records and CCTV footage plus much more personal data. Today, schools are packed with data stored in many different ways and it all needs protecting.

What you need to know

Schools and academies need to be aware of GDPR and what they need to do to make sure they’re compliant. On 25th May 2018 legislation on how you process, store, use and dispose of your data is changed drastically. The Data Protection Act changed to the General Data Protection Regulation and you and your learning environment MUST comply. It's your responsibility to ensure that data is kept and managed in compliance with this new regulation, or you could face serious consequences. GDPR increases the responsibility schools have to inform parents and learners about how their data is being used and by whom.

GDPR became a chargeable law May 25th 2018

There will be fines of up to €20 million or 4% of revenue1

If you don't comply, your Ofsted rating could be affected

You will need to appoint a Data Protection Officer

Why you need to comply

Failure to comply could lead to fines of up to 20 million euros or 4% of your global revenue2. More importantly, as well as fines, your Ofsted ratings could be seriously affected. Ofsted will now ensure that the right policies and procedures are in place to make your learning environment GDPR compliant as part of their inspection.

The GDPR will still apply after Brexit

You have 72 hours to report a data breach to the ICO

You must be able to prove compliance

The GDPR replaces the Data Protection Act

What you need to do next

Appoint a Data Protection Officer eye

You’ll need to appoint a Data Protection Officer who’ll be responsible for monitoring and enforcing GDPR policies and procedures. You can hire internally and combine the duties of a Data Protection Officer with another role. However, the person appointed must be completely impartial so those who work in IT, HR or Finance, as they have access to a lot of data, may not be the best choice.

Research what GDPR means for you eye

There’s lots of resource online that can keep you up to date with GDPR. The ICO has a variety of information regarding the GDPR and how it’ll affect the education sector.

Check your data and how you store it eye

In order to be in control of your data, you must know:

  • What data you hold
  • How long you’ve held it for
  • And how it’s stored

The data you hold should be secured and encrypted to make sure it doesn’t end up in the wrong hands. You may also find that you’re storing data you don’t need or that has expired (passed the date of how long you should keep it). In this case, you must find a way to dispose of it securely and we can help you with this.

More info

Choose the right technology eye

We can work with you to ensure that your network, the devices you’re using and your security infrastructure is as secure as it can be. We have a range of recommended secure devices that will make sure you have the best defences when it comes to hackers.

More info

Update your privacy notices eye

Under the GDPR you must be transparent with your students and those that you hold data of. You must make it clear what data you hold, how it is held and what it is being used for. You can do this really easily with a privacy notice. If you have them already, they may just need updating. There are some good and bad examples of privacy notices on the ICO website.

More info

Encrypt your data eye

Again, there are several ways you can encrypt your data. We can recommend the best ways to do so and this way you’re adding another defensive layer to your system.

More info

Plan for continuous compliance eye

You need to make sure that your school and staff are being compliant in everything they do, from handling data to using it or disposing of it. You need to make a robust plan of how you’re going to maintain compliance and not forget about new procedures.

Know the rights:

Under GDPR, the personal data you hold or process about a living person gives them the following rights:

  • The right to be informed –you must tell them what data is used, why and for what purpose
  • The right of access – parents, staff and students are allowed to see what data of theirs is processed
  • The right of rectification – if their data is wrong, you must correct it
  • The right to erasure – they can demand that you delete all their data
  • The right to data portability – they can decide to move their data to another processor, which you then must supply the data to securely
  • The right to object – they can object to your use of their data and you must stop using it
  • Rights in relation to automated decision-making or profiling – they can demand that automated decisions about them are reviewed by a human

Products we recommend to help with GDPR

Get the conversation started

Contact our Education IT Specialists for free, no obligation advice:

0870 429 3020

Or complete the form below and we'll call you back

Contact us today

Thank you, your form has been submitted successfully

Sorry, there is an issue with your form submission

Please see the below errors

Sorry, this form has failed to submit

View things you need to know

  1. Whichever amount is highest
  2. Source:
  3. Source: IDC, 2015.

Verified by visa Mastercard secure Waste of Electrical and Electronic Equipment (WEEE) Directive