You are here:

Last reviewed on 8 May 2019
Ref: 32870
School types: All · School phases: All

You should get an annual report about the General Data Protection Regulation (GDPR) from your data protection officer (DPO). Here's what to look for, questions you should ask, and a quick update on what happened this past year in the world of data protection.

Ask for a GDPR report to governors

Your school should've appointed a data protection officer (DPO) who takes responsibility for monitoring data protection compliance and has the knowledge, support and authority to do so effectively.

They should report to you on data protection matters. If you haven't heard anything about a data protection report like this, ask for one. Here's a template report so you know what you need to see:

We've given this template to DPOs on our sister service The Key for School Leaders, so the report you receive may look like this, but bear in mind the DPO can report in whatever format they choose.

There's no set reporting frequency, but we recommend that you:

  • Receive a GDPR report at least annually
  • Are updated whenever there is a data breach or other important development – the DPO could notify the chair, tell the data protection link governor if you have one, or attend the full governing board or most relevant committee meeting

Ask your DPO these questions

As DPO, do you have enough time and resources to fulfil your role?

The DPO should have the resources they need to do the role properly, which might include:

  • Dedicated time
  • Training
  • A budget
  • A deputy or team (if you're in a large school)

39% of schools surveyed in a report by RM Education and Trend Micro cited "lack of financial investment" as a reason for not being GDPR compliant. However, 79% of schools surveyed agreed that fines for non-compliance would ‘significantly impact’ them - so when you consider the budget available for data protection, make sure you factor in the potential cost of non-compliance.

How are we keeping on top of the sector, to make sure we don't miss any developments?

Your DPO could mention:

  • Attending training
  • Being part of The Key's DPO network, which gives them data protection updates and tailored resources
  • Keeping on top of updates from the Information Commissioner's Office by checking its website regularly or subscribing to its newsletter
  • Working with DPOs in other schools  

Have we had any data breaches? If so, did we expect this number? Could they have been avoided? Was the breach procedure followed properly and were there any problems?

Your discussion will vary according to the number and severity of any breaches. You should look for:

  • An honest assessment of what happened
  • Confirmation that the school is taking data protection seriously
  • The sense that actions have been taken to make sure it doesn't happen again

You could discuss whether there were any 'near misses' and make sure the school has learnt from these too. 

What training has been provided to the staff to ensure they understand how to comply with the GDPR day-to-day?

The RM and Trend Micro report (linked above) identified accidental loss by staff members as the number one threat to data security. One school exposed the data of over 1000 pupils last year when a staff member lost an unencrypted memory stick. Check your staff have been trained to:

  • Not leave laptops open and accessible
  • Not use unencrypted memory sticks
  • Use strong passwords and change them regularly
  • Update their software when prompted

How are we tracking the retention periods for personal data and ensuring that out-of-date records are properly destroyed?

The GDPR requires that no personal data be kept longer than necessary for its purpose. Your DPO should have systems in place for tracking such records, as well as processes for ensuring proper disposal.

As a governing board, make sure you're complying with storage and retention rules that apply to the documents you produce.

What are the key challenges we need to prepare for in school? As DPO, how are you staying on top of these issues?

Challenges to look out for are any big changes to staffing, processes, technology or suppliers.

If your DPO is a staff member, they should explain how they've raised awareness of their role across the school and made sure staff know when to consult them.

If you have an external or outsourced DPO, they should describe how they stay in touch with the school on a regular basis and how they got to know your school's systems and procedures, and demonstrate that clear contact and reporting systems are in place.

What strategies do we have in place to ensure data can be deleted if parents or pupils request it?

One of the most significant responsibilities under the GDPR is to delete someone's personal data upon request. Your DPO should be able to assure you that data can be easily located and removed when needed.

What steps need to be taken next year? Are we confident in our capacity to mitigate our risks? Are deadlines realistic? Do you have enough resource?

Your DPO should present specific actions to take with deadlines attached. Ideally there will be a sense of priority attached to each item so you can see which are the most important, and easily assess your progress the next time you get an update from your DPO.

Get up-to-date with the past year in data protection

Here's a brief round-up of what happened that might have had an impact on your school:

  • The Data Protection Act 2018 (DPA) came into effect in May 2018 alongside the GDPR. It covers the UK's policy on aspects of the GDPR that were left up to the member states. Your data protection officer (DPO) should have updated your policy and processes accordingly. The Information Commissioner's Office (ICO) has published a quick guide to the DPA
  • Capita's Schools Information Management System (SIMS) wrestled with a bug that corrupted data, linking pupils to the wrong contact information. The first incident occurred in July 2018, and Capita quickly responded with a digital patch. The bug appeared again in April 2019 and schools were urged not to use SIMS' file transfer system. If this breach affected your school, you should've been informed and your DPO should be able to explain how the breach was mitigated
  • The ICO has been busy publishing detailed guidance on various aspects of the GDPR. You can see all the updates here. Again, your DPO should've been keeping up-to-date with the new guidance, and making sure your school's processes reflect it


We put these questions together with support from our associate education expert Brendan Hollyer. Brendan is vice-chair of governors at a primary school and an all-through special school. He's a national leader of governance and has worked as the director of conversions and governance for a multi-academy trust.

Sharon Graham helped us create the report template. Sharon is DPO for 3 schools, and runs a GDPR working party for DPOs. She also has 10 years' experience in the education sector covering all aspects of operational management.

Reference to commercial organisations in this article is not an endorsement from The Key. 

More from The Key

The Key has taken great care in publishing this article. However, some of the article's content and information may come from or link to third party sources whose quality, relevance, accuracy, completeness, currency and reliability we do not guarantee. Accordingly, we will not be held liable for any use of or reliance placed on this article's content or the links or downloads it provides. This article may contain information sourced from public sector bodies and licensed under the Open Government Licence v3.0.