Preparing your organisation for the GDPR

Preparing your organisation for the GDPR

GDPR encompasses any personal data that is stored and processed using computers, as well as any data that is stored on paper in any manual filing system. Whether it is on a standalone computer, a network server, in the cloud or as hand written notes. For example, in an educational setting that means all, and any, personal data held on students, parents, staff and governors.

As the General Data Protection Regulation enforcement date of 25th May 2018 approaches, your organisation should be promoting a strong culture of protecting data.

However, do you know where to start?

Below, we detail the 3 key steps to get ahead before 25th May.

1. Produce a data map

In the example of a school, the setting needs to identify all categories of data that are held about students and staff, the purpose for which it is held and how it is being processed. By doing this the organisation will become familiar with the personal data ecosystem within the school.

This information can then be used to run an audit. To help do this the ICO has an audit tool that RAG rates* your current practice and gives a clear indication of where your strengths and areas for improvement are. The result can then be printed off. As you progress you can go back and conduct the audit as many times as you want to measure progress; this provides a useful framework for planning as well as good evidence of action taken.

*RAG rating:

Red: not implemented or planned

Amber: partially implemented or planned

Green: successfully implemented

2. Promote good practice

Your organisation should already be promoting a strong culture of protecting data. In preparing for the GDPR you should:

  • appoint a data protection officer
  • train staff
  • carry out an information audit
  • update and review policies and procedures
  • tell people why the data is being collected.

3. Ask questions

In addition to a clear description of the data, the following questions should be asked of those people that are responsible for collating personal data.

  • What information is being collected?
  • Who is collecting it?
  • How is it collected?
  • Why is it being collected?
  • How will it be used?
  • Who will it be shared with?
  • How long will you keep it for?
  • How will it be kept secure?
  • What process is it needed for? (e.g. admissions, recruitment)
  • How is security maintained?
  • Who has access to the information?
  • Who manages the data?
  • Who are the data subjects?
  • What is the source of the data?
  • What software is used? (if any)
  • Where does the data go inside the organisation?
  • How is the data stored?
  • Does the data leave the organisation?
  • Does data flow outside of borders? (that is national borders to areas not covered by GDPR).

GDPR training course

These steps are taken from our latest GDPR training course: ‘A Practical Guide to the GDPR for Education’. The course gives real-world scenarios and sample solutions to help schools and settings prepare for 25th May 2018 and is available to buy individually online or as an addition to EduCare for Education®, our complete safeguarding and duty of care e-learning service.

Enquiry Form

Return to news

Related content:


A Practical Guide to the GDPR for Education

This course offers practical advice for staff working within an education setting that deal with personal data. The GDPR applies to both automated personal data and to manual filing systems where personal data is accessible according to specific criteria.

Read more

A Practical Guide to the GDPR for Education

This course outlines key elements of the General Data Protection Regulation (GDPR) in an education setting and will help you to understand:

  • what personal data is
  • how personal data is used
  • why there is a need for a change in data protection
  • the new GDPR
  • new legal requirements
  • Privacy Impact Assessments
  • new rights for ‘data subjects’

Additional information


Video: What is the General Data Protection Regulation?

The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. Watch this video to find out more.

Read more