The 12 steps to being GDPR ready


Co-founded by Sir Bob Geldof, Groupcall has become one of the education sector market leaders in communication and data extraction tools since launching in 2002. Our product portfolio comprises of Messenger, Emerge, Alert and Xporter. 

Website: Email This email address is being protected from spambots. You need JavaScript enabled to view it.
Image courtesy of supplier. Image courtesy of supplier.

With the deadline to be compliant with the new General Data Protection Legislation (GDPR) just around the corner, schools are scrambling to get prepared. Whilst the GDPR does represent a change from the Data Protection Act, achieving compliance may be simpler than you realise. Groupcall, in association with GDPRiS, has put together a short guide for schools to follow – it’s divided into 12 manageable steps to walk you through the list of tasks needing to be addressed.

1. Awareness – All decision makers need to be aware that the compliance deadline for GDPR is 25th May 2018. By reading this, you are now already aware. Congratulations!

2. Information – All personal data must be correctly stored. This includes data for all students, staff, parents, governors and anyone else associated with the school. This may mean organising an information audit to ensure that everything is accounted for.

3. Privacy notices – Thoroughly check your current privacy policies and make any of the required changes in advance of the deadline.

4. Individuals’ rights – Check all of your procedures regarding the rights of individuals, and don’t forget your policy on deleting personal data. If you aren’t already doing so, you need to prepare yourself to provide data in an electronic format.

5. Subject Access Requirements – Or SARs, for short. These will need to be handled within one month, as per the new regulations. Make sure your procedures are updated to allow for this change.

6. Legal basis – Much of the data your school will be processing is likely to will come under ‘public interest’, which means you don’t need to provide a legal basis to process it. Identify all of that which isn’t covered by this basis and document it. This data must be necessary for the school to function.

7. Consent – For the data that isn’t part of the ‘public interest’, consent is required. Review your processes for obtaining consent, ensuring that it is in line with the GDPR.

8. Children – Parental consent up to 13 years of age, thereafter the pupil’s own consent. How are you going to manage this?

9. Data breaches – In the event of a data breach, it is essential that the correct procedures are in place. All staff must adhere to these if penalties are to be avoided.

10. Privacy Impact Assessments (PIA) – Understand the ICO’s guidance on PIA. When new processes are taken on by the school, using PIA can help you assess the potential risk and impact.

11. Data Protection Officer (DPO) – All schools must have a designated DPO to take oversee and, ultimately, help ensure GDPR compliance.

12. International – If you operate internationally, you need to determine which data protection supervisory authority applies to you. You also need to find out where data is held by your suppliers.

GDPRiS is a web based platform designed for schools, that helps manage GDPR compliance. Store documentation, manage suppliers, report breaches, all in one place. To view more detail on the 12 steps, and to download a number of other free resources for schools relating to GDPR compliance, visit the resources section on

Want to receive cutting-edge insights from leading educators each week? Sign up to our Community Update and be part of the action!

Read More

Sign up to our newsletter

Get the best of Innovate My School, straight to your inbox.

What are you interested in?

By signing up you agree to our Terms & Conditions and Privacy Policy.

1,300+ guest writers.
ideas & stories. 
Share yours.

Read our editorial calendar 

In order to make our website better for you, we use cookies!

Some firefox users may experience missing content, to fix this, click the shield in the top left and "disable tracking protection"