22 May 2018 | by Sheryl Cardwell

So, are you and your staff ready? Is the world going to end if you are not?


It’s no surprise that GDPR is the hottest topic of the month and to assist schools in ensuring they are confident and compliant in handling personal data, the DfE have issued a tool kit for schools.


Within schools the data cycle is very simple and the regulation impacts on this cycle









The DfE suggest there is a nine-step approach to ensure compliance:

  • Raising awareness
  • Creating a high-level data map
  • Creating a data asset register
  • Creating a data processing register
  • Retention of document schedule
  • Reassurance and risk
  • Appoint a DPO
  • Communicate with data subjects
  • Operationalise data protection and keep it living


We often hear the phrase “winning hearts and minds” in relation to change management and getting people on board. This was the approach we undertook when introducing the regulation to staff.


Step 1

Our organisation created a GDPR working party. We recognised that the task was not simply that of the appointed data protection officer, however it was everyone’s responsibility so the work load was shared.  


Step 2

The creation of a working action plan with tight deadlines was implemented to ensure the organisation was well on the way to being compliant.



Step 3

Share the knowledge. Within our organisation we issued a weekly one-page fact sheet to all staff to enhance their understanding of the new regulation and how it impacts on them personally and professionally.  The sheets included a small amount of information relating to the regulation and then actions and recommendations relating to the school.  Although a simplistic approach, it allowed a change in mindset to occur with a real understanding of what the new regulations means for all involved.






Step 4

Drop in sessions. To continue to ensure that GDPR was at the forefront of our thinking in relation to processing data, we also held drop in sessions, twice a week after school, where staff could come and ask questions.  Staff were asking the right questions and also taking responsibility on how they and their tasks fit into the organisation being compliant


Step 5

Inset Training. The last step in ensuring staff were up to date was to hold a training session, which included all staff.  Again, this forum allowed some great debates to be had, with staff taking a real interest in the topic.


Next Steps


For our organisation the final step is to document all the processing steps that we take as an organisation when handling data.  Again, this will be a shared approach with all members of staff providing valuable input.


I suspect that in the coming months the ICO will be inundated with minor security breaches and I suspect that more guidance will follow, however this is only my personal opinion.


Happy GDPRing everyone!


By Sheryl Cardwell - May 2018