Office‎ > ‎


The GDPR is a piece of EU wide legislation which will determine how people's personal data is processed and kept safe, and the legal rights individuals have in relation to their own data. The regulation has applied to all schools from 25th May 2018 and will apply even after the UK leaves the EU.

There are also stronger rights for individuals regarding their own data.
- The individual's rights include: to be informed about how their data is used, to have access to their data, to rectify incorrect information, to have their data erased, to restrict how their data is used, to move their data from one organisation to another, and to object to their data being used at all

The GDPR is similar to the DPA (which schools should already comply with) but serves to strengthen many of the principles.
The main changes are: 
- DPO (Data Protection Officer appointed) who will advise on compliance with the GDPR and other relevant data protection law. Our DPO is Tracey Riches, Clear 7 Consultancy.
- Privacy notices must be in clear and plain language and include some extra information - the school's 'legal basis' for processing and the individual's rights in relation to their own data
- Schools will now have a month to comply with subject access requests (SARs) and in most cases can't charge
- Where the school needs an individual's consent to process data, this consent must be freely given, specific, informed and unambiguous
- The Information Commissioner's Officer (ICO) must be notified within 72 hours of a data breach
- Schools will have to demonstrate how they comply with the new law
- Schools will need to carry out a DPIA (Data Protection Impact Assessment) when considering using data in new ways or implementing new technologies
- There will be higher fines for data breaches - up to 20 million euros or 4% of annual turnover

Our Data Protection Officer (DPO) is Tracey Riches, Clear 7 Consultancy. Email: