GDPR... One year later

4 Jun 2019 | by Sheryl Cardwell

GDPR came into force on May 25th 2018 and despite all of our worries and fears, the world did not end!


So, one year later and how have our organisations changed?  In my Trust, we now have GDPR as part of induction for new employees and volunteers as it is important to continue to safeguard the data of our staff and pupils. Furthermore we:

  • have encrypted all our school laptops
  • have forbidden the use of USB sticks
  • force password changes on a regular basis
  • have undertaken data cleansing
  • allow staff access to all their personnel data through a self-service portal, allowing staff access to update and retrieve their personal data

We approached the introduction, implementation and continued compliance of the regulation as a whole school with each member of staff contributing to the Trust’s data process map and asset register.

Since the introduction of the regulations we have continued to enhance our practice and are at the point where we will be undertaking our annual review utilising the Department for Education Data Protection: Annual Review Checklist

This checklist has been produced in accordance with the guidance produced by the DfE in April 2018 and updated in August 2018, in the “GDPR Toolkit for Schools”, and is in accordance with the Data Protection rules and Freedom of Information Act (2000) legislation. The checklist covers a variety of areas for review including:

In addition to the updated information provided by the Department for Education, the Information Commissioner’s Office continue to update their guidance to support the sector with the enforcement of the regulation. 

The protection of data on electronic devices is fundamental to ensuring compliance with the general data protection regulation. One way this can be achieved is through encryption. In many cases, encryption can provide an appropriate safeguard against the unauthorised or unlawful processing of personal data, especially in cases where it is not possible to implement alternative measures. Whilst encryption is recognised as an appropriate approach to protecting data, there are still occasions where data can still be accessed unauthorised. For example, leaving an encrypted device unattended or unlocked allowing the device to be accessed unlawfully. Therefore, we must continue to educate device users on the importance of locking machines when unattended or installing a PIN on an iPad.

 In schools we must continue to keep GDPR at the forefront of our practice, whether this be through regular updates for staff or audit checklists it is imperative that we keep the data of our staff, pupils and parents safeguarded at all time.