GDPR checklist for schools and multi-academy trusts

Read our essential GDPR checklist for schools to ensure you are GDPR compliant and avoid fines.

Read our 7-step checklist covering key areas to help your school or trust achieve GDPR compliance.

1. Appoint a data protection officer (DPO)

You must appoint a DPO if you are a public authority. Some schools share a DPO via their multi-academy trust or in a federation with other schools. Each school must (whether they have their own DPO or not) have sufficient staff and skills to discharge obligations under the GDPR.

2. Update your school’s or trusts privacy notice

The privacy notice discloses how a school gathers, uses, discloses, and manages a child/Parent/Guardian’s data. It fulfils a legal requirement to protect privacy. The GDPR sets out the information you should supply and when individuals should be informed. You can find privacy notice model documents for schools on

3. Process personal data securely

The regulations require that all the personal data you hold in your school is processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and accidental loss, destruction or damage. More guidance is available on the ICO website.

4. Understand what to do if there is a data breach

A personal data breach is where a lapse in security leads to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. If there is a personal data breach, you must report it to the Information Commissioner’s Office within 72 hours of becoming aware of the breach. If there is a high risk to an individual, you should also inform the individual right away.

Make sure that you have a process in place to detect, investigate and report breaches, and keep records of any violations that do occur. You can find more information on personal data breaches on the ICO website.

5. Know how to deal with a Subject Access Request (SAR)

People can now ask for access to personal data about them that your school holds. This can be a verbal or written request to any person within your school, and you must respond within one month. Whereas previously you could charge for this service, in most circumstances this is now not the case.

In summary, people can expect to receive the following:

  • confirmation that you are processing their data
  • a copy of their personal data
  • other related information as outlined in your privacy notice

You can read more about rights of access on the ICO website.

6. Get signed contracts with relevant third party suppliers

Third parties who manage data can include web uniform providers, school photographers and even website providers! Whenever you use third parties who handle data, you must have a written contract (also known as a data processor agreement) that outlines the responsibilities of both parties when handling personal data.

You can find out more about contracts on the ICO website.

7. Publish a statement of compliance

Schools need to publish a statement of compliance outlining what they are doing to achieve GDPR compliance. This should be clear and visible on your website.

For more information, please refer to the ICO website.