GDPR within education

How Will GDPR Affect the Education Sector?

  • Child Consent

  • Ability to Prove Compliance

  • Increased Accountability

  • Subject Access Request

  • Risk Management

Child Consent

Proof of Consent for Data and Child Consent

A significant amount of the processing of personal data conducted within the education sector will fall under a legal basis- ‘in the public interest’. This means that it will not be necessary for organisations to gain specific consent. However, consent must be explicitly given by students or their parents (depending on their age) for anything that doesn’t fall under the ‘in the public interest’ category. Only children above the age of 13 are lawfully able to give their own consent. Children under this age are deemed too young to be able to understand the risks involved with the collection and processing of their data.

Consent must be given for the processing or flow of personal data to third-parties, so in order to become GDPR compliant, schools must be aware of where various pieces of data are going and why.

Ability to Prove Compliance

Organisations within the education sector are typically in a better position to comply with GDPR than many other private companies. This is because they usually have an existing data protection policy in place which is adequately robust. However, under the GDPR, compliance alone is not enough. Organisations will have to prove that they are compliant by undertaking a number of accountability measures.

Accountability measures include Privacy Impact Assessments, Data Protection Audits and pseudonymisation. Click here to find out more about how you can prove your organisation is GDPR compliant.

Increased Accountability of Personal Data

Education providers already have to be accountable for the data that they store since it often falls into ‘special categories of data’ such as religion and ethnicity. However, under the GDPR higher penalties will be in place for non-compliance, meaning that importance of being accountable is increased. The education sector is one that is likely to hold the largest amount of personal data, so in order to become GDPR compliant, schools should identify and review all the data they hold against these questions:

  • Why are we holding it?

  • How did we obtain it?

  • How long will we retain it?



During this process, the amount of data stored should be kept to only what’s necessary. Once GDPR is in effect, the storage and processing of excessive data can mean non-compliance, and this can lead to substantial fines.

It is essential that there is a process in place for keeping all data secure, and an actionable response in place in the event of a data breach. It is also necessary to ensure that all members of staff have an understanding of these policies, not just those with the most responsibility.

Subject Access Requests

Schools have always had an obligation to give their pupils and their parents the right to access their personal data. However, under the GDPR, individuals have an additional right to be forgotten. It is important that schools ensure they have an effective system in place to respond to subject access requests, and that they also respect the right to be forgotten.

Proving GDPR Compliance-Data Protection Privacy Reviews

Risk Management

Within the education sector, there are a wide variety of platforms on which data is stored. Therefore, schools must ensure that they cover all areas to ensure compliance. This can include data stored in curriculum tools, payment systems, core management systems, virtual learning environments and safeguarding systems. Under the GDPR, attention is also paid to the storage of biometric data, so it is important that schools don’t forget to review any information they may have on identity management systems.

Some areas of risk that may be overlooked include software that is not on the SLTs radar, such as subject-specific data, or data which is held within apps used by teachers during lessons. With the recent development of a variety of apps for education, many teachers make use of them without the school being informed. Once GDPR is in effect in May, the school must ensure that any apps being used are compliant, to ensure that they too remain compliant.

Do you need more information about how you can get ready for the GDPR? Arden Group has teamed up with Microsoft and Mimecast to bring you a complimentary GDPR Seminar in Birmingham. Click here to find out more information and book your place.

Alternatively, contact a member of our team today to discuss your compliance plan.

Discover More

GDPR within Finance
GDPR in Education Featured Image

We wish to emphasise that Arden Group is a Managed Service Provider and not a legal firm. That means that the views brought forward in this page are not necessarily shared by lawyers or courts.

Arden Group, therefore, does not guarantee that all information is factual and interpreted correctly. If you wish to ensure your advice or your company is legally covered by GDPR, consider consulting legal or specialised advice.

Newsletter Sign-Up.

Sign-up for the latest hints, tips and news from the communications industry.