GDPR within education

How Will GDPR Affect the Education Sector?

  • Child Consent

  • Ability to Prove Compliance

  • Increased Accountability

  • Subject Access Request

  • Risk Management

Child Consent | GDPR

Proof of Consent for Data and Child Consent

A significant amount of the processing of personal data conducted within the education sector will fall under the legal basis ‘in the public interest’. This means that it will not be necessary for organisations to gain specific consent. However, consent must be explicitly given by students or their parents (depending on their age) for anything that doesn’t fall under the ‘in the public interest’ category.

Only children above the age of 13 are lawfully able to give their own consent. Children under this age are deemed too young to be able to understand the risks involved with the processing of their data.

Consent must be given for the processing or flow of personal data to third-parties. Therefore, in order to become GDPR compliant, schools must be aware of where various pieces of data are going and why.

Ability to Prove Compliance

Organisations within the education sector are typically in a better position to comply with GDPR than many other private companies. This is due to the fact that they usually have an existing data protection policy in place which is adequately robust.

However, under the GDPR, compliance alone is not enough. Organisations will, therefore, have to prove that they are compliant by undertaking a number of accountability measures.

Accountability measures include Privacy Impact Assessments, Data Protection Audits and pseudonymisation. Click here to find out more about how you can prove your organisation is GDPR compliant.

Increased Accountability of Personal Data

Education providers already have a higher-than-average level of responsibility for the data that they store since it often falls into ‘special categories of data’. Special categories include religion or ethnicity.

However, under the GDPR higher penalties will be in place for non-compliance. Therefore, the importance of remaining accountable is increased. The education sector is one that is likely to hold the largest amount of personal data. Consequently, in order to become GDPR compliant, schools should identify and review all the data they hold against these questions:

  • Why are we holding it?

  • How did we obtain it?

  • How long will we retain it?



During this process, the amount of data stored should be kept to only what’s necessary. Following the implementation of the GDPR, the storage and processing of excessive data can mean non-compliance.

It is essential that there is a process in place for keeping all data secure. Additionally, all companies should have an actionable response in place in the event of a data breach.

It is also necessary to ensure that all members of staff have an understanding of these policies, not just those with the most responsibility.

Subject Access Requests

Schools have always had an obligation to give their pupils and their parents the right to access their personal data. However, under the GDPR, individuals have an additional right to be forgotten.

It is important that schools ensure they have an effective system in place to respond to subject access requests. They must also respect the right to be forgotten.

Proving GDPR Compliance-Data Protection Privacy Reviews

Risk Management

Within the education sector, there are a wide variety of platforms on which data is stored. Therefore, schools must ensure that they cover all areas to ensure compliance.

This can include data stored in curriculum tools, payment systems, core management systems, virtual learning environments and safeguarding systems. Under the GDPR, attention is also paid to the storage of biometric data. Consequently, it is important that schools don’t forget to review any information they may have on identity management systems.

Some areas of risk that may be overlooked include software that is not on the SLTs radar, such as subject-specific data, or data which is held within apps used by teachers during lessons. Due to the recent development of a variety of apps for education, many teachers make use of them without the school being informed. As a result of the implementation of the GDPR in May, schools must ensure that any apps being used are compliant.

Do you need more information about how you can get ready for the GDPR? Arden Group has teamed up with Microsoft and Mimecast to bring you a complimentary GDPR Seminar in Birmingham. Click here to find out more information and book your place.

Alternatively, contact a member of our team today to discuss your compliance plan.

Discover More

GDPR tools for compliance
How will the GDPR affect your email marketing?
Data Protection
GDPR within Finance

We wish to emphasise that Arden Group is a Managed Service Provider and not a legal firm. That means that the views brought forward in this page are not necessarily shared by lawyers or courts.

Arden Group, therefore, does not guarantee that all information is factual and interpreted correctly. If you wish to ensure your advice or your company is legally covered by GDPR, consider consulting legal or specialised advice.

Newsletter Sign-Up.

Sign-up for the latest hints, tips and news from the communications industry.