Search Our Site

We have 3,779,104 registered online learners.
1,056 new learners so far today.

GDPR In Education: How Schools Can Prepare

schedule 23rd February 2018 by Jaison Cresswell in Education Last updated on 24th April 2018

Teacher sat on a table

The GDPR deadline might only be a couple of months away, but that doesn’t mean that there isn’t still time to ensure that you’re doing everything you can to meet the requirements it sets out - whatever industry you’re operating in. In this article, we’re going to take a look at the education sector in particular. What is GDPR for schools, and what can schools do to make sure that they stay on the right side of the law?

First, let’s briefly cover the top-level details of the General Data Protection Regulation. It’s actually almost two years since the regulation was agreed upon and adopted by the EU, but it becomes fully enforceable on 25th May 2018. The overall aim of it is to give EU citizens more control over their own data when it gets handed over to organisations.

There are a variety of elements to GDPR, but the main ones are fairly straightforward. Perhaps the one that brings the biggest change is that data can’t be processed without good legal grounds to do so. In most cases there are going to be two justifications for this. The first is that the data has to be collected and processed in order to carry out the service requested, and the second is that the organisation has received explicit consent. This will be a big issue for businesses that want to continue marketing to people after they’ve made a purchase, and buying contact lists is likely to become a thing of the past. For the education sector, it’s less likely that this part of GDPR will be important, but it’s certainly worth bearing in mind. Universities for instance won’t be able to continue emailing alumni for support unless they can prove they’ve been given consent to do so.

Another change is around personal control of data. EU citizens will now have the right to request all of the data held by an organisation about them, and they can also insist upon its deletion too. Again, this is unlikely to directly affect schools and other education providers, but it’s worth being aware of.

So why is GDPR important to schools?

One of the major issues is that schools notoriously tend to have poor IT systems, especially when it comes to the accurate and safe storage of information. This often comes down to budget restrictions, which means that IT systems meet the bare minimum requirements, and aren’t updated and replaced until the very last minute. In many cases, information will be stored on very insecure and potentially inaccurate spreadsheets Unfortunately, this will not be acceptable under GDPR, which does demand robust storage systems.

Schools’ data storage solutions going forward will need to be:

  • Highly secure, with encryption at every opportunity, to ensure that all held data is kept as safe as it can reasonably be
  • Easy to access, so that any access requests that come in can easily be fulfilled in the specified time frame
  • Easy to change, so that any changes in the data can be made without difficulty, particularly in respect to the removal of data
  • Useable with metadata, which is to say that schools will need to keep record of certain things, such as the period of time the data can be legally held for, or whether or not explicit permission has been given for certain data to be used

In order to accomplish the above, many educational establishments will need to re-assess the system they are using, and there are many potential options. While GDPR does set out new standards, it does not go into any detail about how they should be met, so organisations are free to use whichever system suits them. This could be an in house, external or cloud based solution. In many cases it will be wise for organisations to consult an IT expert for guidance in this area.

As part of this, it’s highly likely that many schools, particularly larger ones, will need to employ or designate a data protection officer if they haven’t already done so. It will be this person’s responsibility to both implement data protection policies, and ensure that they’re being adhered to by relevant members of staff. Indeed, in certain cases GDPR mandates the appointment of a data protection officer.

For more information about the specifics of GDPR and how it might affect your business or organisation, then take a look at our free GDPR resources.

Related resources

Jaison Cresswell Author

Author: Jaison Cresswell

Jaison is a Learning Technology Manager who has a wealth of experience in creating digital learning solutions to meet both client and learner requirements. He also leads on Commercial Partnerships and International Sales. He has a degree in Business Management and enjoys keeping up-to-date with the latest technology and trends.

ISO 9001:2015
Crown Commercial Service Supplier
LPI Accredited Learning Technologies Provider


+44 (0)1943 605 976

Virtual College

Marsel House


West Yorkshire

LS29 8DD

Awards for footer
Gold and silver award winners at the Learning Technologies Awards 2017 - including gold for excellence in the design of learning content.


We are in the process of moving to one Virtual College website. If you want to go back to a course, or start a course, bought from our old website then you may need to login to our original learning management system. Otherwise, please proceed to our new learning management system to return to your training.


You are already logged in. Click the button below to be taken to your LMS dashboard. Alternatively, click logout to leave the system.