You are here:

Last updated on 3 October 2018
Ref: 32870
School types: All · School phases: All

You should receive reports about the General Data Protection Regulation (GDPR) from your data protection officer (DPO). Here's what you should ask when you receive your first one, so you can be confident your school is meeting its legal obligations.

Article tools


  1. What you should expect from a GDPR report to governors
  2. Questions to ask about the report
  3. Questions about preparing for the GDPR

What you should expect from a GDPR report to governors

Your school should have appointed a data protection officer (DPO) who takes responsibility for monitoring data protection compliance and has the knowledge, support and authority to do so effectively. This person should report to you on data protection matters.

Here's a template report so you know what to expect: 

We've given this template to DPOs on our sister service The Key for School Leaders, so the report you receive may look like this, but bear in mind the DPO can report in whatever format they choose.

There's no set reporting frequency, but we recommend that you: 

  • Start with an update this autumn term (6 months in to the GDPR) because the legislation is new
  • Always receive an annual report
  • Are updated whenever there is a data breach or other important development – the DPO could notify the chair, tell the data protection link governor if you have one, or attend the full governing board or most relevant committee meeting

Questions to ask about the report

These questions are based on the recommended report contents in our template (see above).

1. As DPO, do you have enough time and resources to fulfil your role? 

The DPO should have the resources they need to do the role properly, which might include:

  • Dedicated time
  • Training
  • A budget
  • A deputy or team (if you're in a large school)

2. How are we keeping on top of the sector, to make sure we don't miss any developments? 

Your DPO could mention:

  • Attending training
  • Being part of The Key's DPO network, which gives them data protection updates and tailored resources
  • Keeping on top of updates from the Information Commissioner's Office by checking its website regularly or subscribing to its newsletter
  • Working with DPOs in other schools  

3. (If you had any data breaches) Did we expect this number of data breaches? Could they have been avoided? Was the breach procedure followed properly and were there any problems?

Your discussion will vary according to the number and severity of any breaches. You should look for:

  • An honest assessment of what happened
  • Confirmation that the school is taking data protection seriously
  • The sense that actions have been taken to make sure it doesn't happen again 

You could discuss whether there were any 'near misses' and make sure the school has learnt from these too. 

4. What are the key challenges we need to prepare for in school? As DPO, how are you staying on top of these issues? 

Challenges to look out for are any big changes to staffing, processes, technology or suppliers. 

If your DPO is a staff member, they should explain how they've raised awareness of their role across the school and made sure staff know when to consult them. 

If you have an external or outsourced DPO, they should be able to describe how they stay in touch with the school on a regular basis and how they got to know your school's systems and procedures, and demonstrate that clear contact and reporting systems are in place.

5. What steps need to be taken this term? Are we confident in our capacity to mitigate our risks? Are deadlines realistic? Do you have enough resource?

Your DPO should present specific actions to take with deadlines attached. Ideally there will be a sense of priority attached to each item so you can see which are the most important, and easily assess your progress the next time you get an update from your DPO.

Questions about preparing for the GDPR

Put these questions to your headteacher the first time you discuss the GDPR to check that your school's data protection processes are effective and identify any areas that need attention.

Your board is likely to have asked these questions already, but we're including them here in case you're yet to discuss the GDPR as a full board.

1. How confident are we that we know enough about the implications of the GDPR?

  • Your headteacher and DPO should be confident at this stage that they have a firm grasp of the way the GDPR affects the school, including with respect to internal processes and the people you hold data about
  • You can expect some uncertainty, however; the GDPR is a big change for organisations in all sectors and its full implications are yet to become clear

2. What sources of information have we used to find out what we need to do?

Your headteacher should mention sources like:

  • The Information Commissioner’s Office (ICO)
  • The Department for Education’s data protection toolkit for schools
  • Your local authority (if applicable)
  • The Key
  • Data protection consultancies or training providers
  • Legal providers

3. What have we done so far?

Your headteacher should mention:

  • Raising awareness among staff
  • Conducting an information audit
  • Identifying an appropriate ‘lawful basis’ for data processing activities
  • Updating privacy notices, and other relevant policies and procedures
  • Reviewing the school's information security measures – your systems and processes for keeping personal data safe, physically and electronically 
  • Appointing a data protection officer (DPO)

4. Who is our DPO and how does the role work?

Your school should have appointed a DPO by 25 May 2018, when the GDPR came into force. Your headteacher should explain:

  • Who the DPO is
  • Where they sit in the school's leadership structure
  • How much of their time they will spend on the role
  • What resources they need to enable them to do their job
  • Whether there is a budget that you, as governors/trustees, need to approve for them

5. What changes have been made to our privacy notices?

Your privacy notices should have been updated to include:

  • Your lawful basis for all data processing activities that involve personal data
  • Information about the rights that people have in relation to their data (e.g. to access it, to object to processing, to correct inaccuracies)
  • Information about people’s right to complain to the ICO about your use of their data

If you have a privacy notice that's aimed at children (typically age 13 and above, when children are able to understand data protection implications and their rights), it should be written in child-friendly language.

6. Do we need to adjust any procedures to make sure we can respond to subject access requests (SARs) within a month (instead of 40 days)?

  • If you do, your headteacher should be able to confirm that this has been done
  • Your headteacher should also have considered how the school will respond to SARs over the summer holidays, as there is no exemption from the 30-day deadline for schools

7. Do we have a clear procedure for responding to and reporting possible data breaches?

  • Your data breach procedure should be clearly defined and include specific actions to take to mitigate different types of breach – for example, what to do if a laptop goes missing, how to respond if someone sends a sensitive email to the wrong people
  • Governors and trustees also need to know what to do in the event of a data breach, so make sure you have a detailed understanding of your school's procedure

8. How do we plan to strike a balance between encouraging people to report a data breach and not creating a culture of fear?

Your headteacher should explain:

  • How all staff have been made aware of what constitutes a data breach and your data breach procedure
  • How staff will be reminded regularly of this, perhaps through posters, staff meeting updates, or regular data protection refresher training
  • That any messaging around data breach procedures focuses on the need to keep data safe in the first place, and how to do this

9. How can we make sure the board stays appropriately informed on data protection issues in school and can monitor compliance?

You should discuss:

  • Having a standard meeting agenda item on data protection
  • Whether it would be helpful to appoint a data protection link governor, who liaises with the DPO regularly
  • Setting out a schedule for when the DPO can report to you, as they're required to do this by law
  • How you as governors/trustees will be alerted about a personal data breach; the headteacher and DPO should have a plan for this

If you're still getting your head around the GDPR and your role in ensuring your school is compliant, read our article on what governors and trustees need to do to comply.


We put these questions together with support from our associate education expert Brendan Hollyer. Brendan is vice-chair of governors at a primary school and an all-through special school. He's a national leader of governance and has worked as the director of conversions and governance for a multi-academy trust.

Sharon Graham helped us create the report template. Sharon is DPO for 3 schools, and runs a GDPR working party for DPOs. She also has 10 years' experience in the education sector covering all aspects of operational management.

More from The Key

The Key has taken great care in publishing this article. However, some of the article's content and information may come from or link to third party sources whose quality, relevance, accuracy, completeness, currency and reliability we do not guarantee. Accordingly, we will not be held liable for any use of or reliance placed on this article's content or the links or downloads it provides. This article may contain information sourced from public sector bodies and licensed under the Open Government Licence.