How will GDPR affect the education sector?

How will GDPR affect the education sector?

Every individual within the education sector has a responsibility to understand how GDPR will affect them. Ursula Oliver shares views and advice from the industry

The move to GDPR will be much needed, as the current Data Protection Act is based on outdated European legislation passed in 1995. Think about how much technology has changed since 1995 and the new ways our data can now be collected and stored. We put so much of our information online and it’s accessible in a way that it’s never been before.

Data can also be collected via cookies on an internet browser and some companies that you don’t even sign up with can then access and even sell your personal information.

Mango at PLMR works with schools, edtech companies and education charities, so we have a solid understanding of the key issues facing all corners of our industry. We have asked them their views and guidance on how the GDPR will affect schools.


There are six principles that form the foundation for organisations to ensure they are compliant. To be properly prepared for GDPR, anyone handling and processing personal data needs to ensure it is processed fairly, lawfully and in a transparent manner; used for specified, explicit and legitimate purposes; and is used in a way that is adequate, relevant and limited.

Anyone handling and processing personal data also needs to ensure it is accurate and kept up-to-date; kept no longer than is necessary; and
processed in a manner that ensures appropriate security of the data.

Data is categorised in two groups: personal and sensitive. Personal data is information such as HR records and contact information, whereas sensitive data is often health related, biometric or genetic.

Every individual within the education sector has a responsibility to understand how GDPR will affect them.


For school business managers, selecting providers that demonstrate features that protect data, are transparent about how they collect and store data and are happy to offer guidance and advice for any questions or concerns you may have surrounding data, is a crucial part of your own schools’ GDPR preparation process.

An important factor to consider is that GDPR applies to any organisation that handles personal data within the European Union, regardless of its location – so make sure to ask providers about what they will do with your data, especially if their organisation is based outside the EU.

Andy Goff, director at ONVU Learning, a provider of a 360-degree camera system and sharing platform called LessonVU, suggests that Edtech companies should be proactive in their approach to the changes. He states that it will affect how Edtech companies can position and market themselves.

Companies will have to ‘opt-in’ school contacts who provide permission to companies to contact them.

In the future, companies will have to give reasons to potential clients and buyers as to why they should ‘opt in’ for continual contact. On a positive note, this may be a good step as it will create a strong sense of community between businesses and the schools they work with.

Looking at its proactive approach to the GDPR changes, Andy reflects that ONVU, “welcomes the changes and thinks overall that it will have a very positive and healthy impact on the market place and those working within it.

We really value our relationships with schools and their staff, and going forward we aim to strive and share practice about all that our partner schools achieve. We intend to use all conversations regarding GDPR to demonstrate our value, understanding and ultimately partnership with schools to help improve teaching and learning.”


Just like edtech providers, education charities will want to market their services and the mission statement of the cause they support. They will collect data to contact individuals to rally support for their cause, raise awareness and fundraise.

So, if a school starts working with an education charity it should keep in mind how its data may be used. It can secure its privacy by choosing transparent partners to work with, who understand the issues of GDPR, how it affects their organisation and how their work with you needs to be protected.

London Connected Learning Centre, (CLC), part of the Education Development Trust, supports schools in using technology to improve learning, so we asked the deputy director Julia Lawrence for her advice to schools surrounding the issues of data protection.
Julia commented: “We would suggest considering how secure the storage of data is already in a worst-case scenario. For example, when a visitor enters the school, is it possible that they might gain access to network accounts and information without proper verification? Also consider what data you hold on pupils and staff and how this is stored; are attendance registers kept on paper or digitally, who has access to medical records, and do you have consent to use contact information collected from parents?

Most schools will have moved to a management information system (MIS) with data stored in the cloud, so consult your provider if you have any remaining questions about GDPR.

“School leaders and business managers also need to assess current staffing and consider whether additional resource is required ahead of when GDPR comes into effect. Do existing staff members have enough time and training to carry out a GDPR-focused role?

“London CLC works closely alongside schools to carry out IT infrastructure health checks in order to create an IT strategy and action plan, ensuring GDPR is taken into account.”


The kind of data schools are likely to collect, and therefore need to be wary of, include personal data on members of the school community, including names, addresses, contact details, legal guardianship contact details, disciplinary records; academic data such as class lists, progress reports; professional records of employment history, taxation, national insurance records and appraisal records.

Sensitive data a school may hold includes health records, including genetic and biometric data collected from fingerprint authorised library or cafeteria access; classification of ethnicity, and religious indicators.

Fergal Kilroy, head of content for Bett works alongside teachers to determine and provide content that they will find valuable and engaging at the annual gathering of the education sector. Fergal has a close relationship with both edtech companies and educators and has first-hand insight into the role of GDPR in a school setting.

He commented: “With widespread internet access in the UK, pupil privacy and online safety is a hot topic. Schools are aware of how exposed data can be online and it’s why many of them shy away from the environment.

“The imminent General Data Protection Regulation (GDPR) will introduce a new role of data protection officer to many schools. In the short term, this is likely to come as an added responsibility to staff, many of whom will not be fully prepared. But those schools that encourage data management expertise will be able to use and interpret their data to understand learning trends better, and enable them to address social challenges.”

School leadership teams and business managers will want to consider how they interact with all organisations, whether they’re suppliers or charities – anyone they come into contact with that handles their schools’ data. This is because schools ultimately are liable as well and will need their own strategies to ensure GDPR compliance.

However, if we all commit to acting now and sharing our knowledge and resources, we can help each other make the process run as smoothly as possible.

Further Information: