You are here:
GDPR mythbuster
Avoid the scaremongering around the GDPR and use our mythbuster to separate the fact from the fiction when it comes to visitor books, photo archives, fines, consent and more.
Myth |
Fact |
You'll be fined 20 million euros if you get anything wrong |
This is highly unlikely. Although this is the maximum fine available, the Information Commissioner's Office (ICO), which will enforce the regulations in the UK, says that it has "always preferred the carrot to the stick" and will use its powers "proportionately and judiciously". In other words, huge multi-national corporations might get hit with the maximum fine for a very serious data breach but this is unlikely to be the case for schools. |
You need to seek consent for all the personal data you process |
You probably won't need to seek consent that often. You need to have a ‘lawful basis’ (legal reason) for processing personal data, and consent is just 1 of 6 lawful bases you can use. Only use consent where none of the other bases apply, as the standard for getting consent is very high and individuals can say no or withdraw it at any time, which could cause you problems. Follow our process to decide if any of the other bases apply, before you consider seeking consent. |
You can no longer report safeguarding allegations to your LA without consent from those involved |
This is related to the myth above. It isn't true – schools are legally required to report safeguarding allegations to the local authority (LA), and this won't change. |
You can't ask visitors to sign in by putting their details into a visitor book |
The GDPR will not necessarily require you to change your school's signing-in process. It's clear that you need to keep certain visitor data for health and safety reasons. Forbes Solicitors assured us this is fine under the GDPR, as long as you only capture and store the data you really need to meet your legal obligations to keep staff and pupils safe. You must ensure this data remains secure, so review whether your current visitor book poses a risk to this. If it does, you could take additional measures like ensuring each record in the book is covered, so that anyone signing it can only see the next blank record for completion. |
The GDPR contains specific rules about how long you can retain records for |
The GDPR contains principles for good management of personal data, rather than specific rules on how you must do things. It doesn't set out record retention periods, or particular security measures that you need to put in place. It's up to you to decide this, based on what is appropriate for your school and the type of personal data you're handling. For guidelines on record retention periods, look at the IRMS Records Management Toolkit for Schools. It pre-dates the GDPR, but remains applicable. |
You must destroy all historical photographs of your school that feature people |
The rules around personal data, including those set out in the GDPR, only apply to the data of living individuals, so depending on how old your photographs are, the GDPR may not apply at all to your historic photos of former students. You may also be able to keep historical photos of living individuals, providing you establish a suitable lawful basis. Read our article on managing your photo archives for help with this. |
Paper records are not compliant with the GDPR |
This is also not true. It's fine to keep paper records, as long as you store and use them according to the GDPR principles for data processing. |
The data protection officer can't be an existing member of staff |
It's fine for your data protection officer (DPO) to be a current member of staff, provided they meet all the criteria for the role. You'll probably need to make some changes for this arrangement to work, including:
Read our guidance on appointing a DPO for more on this. |
You need to look at how you handle ALL the data you keep in school
|
The GDPR only applies to personal data, which is any information relating to an identified, or identifiable, person. This may include information such as the person's name, contact details, unique identification number (such as National Insurance number) or online identifier (such as a username). It may also include anything relating to the person's physical and mental health, genetics, finances, or their physiological, cultural, or social identity. You don't need to worry about how you handle any data that can't be specifically linked to an individual – including data that has been anonymised. |
- 'Cheat sheet' for data protection officers
- Child protection records: transfer guidance
- Data protection impact assessments
- Data protection impact assessments: template and checklist
- Data protection officer: who can it be?
- Data sharing agreements
- DPO's report to governors: template
- DPOs: what your school must do for you
- Email security: sending personal data
- Freedom of information: responding to requests
- GDPR: at what age can pupils give consent?
- GDPR audit
- GDPR compliance for visiting staff
- GDPR: ensuring your suppliers are compliant
- GDPR jargon buster
- GDPR: managing your photo archives
- GDPR: personal data breach procedure
- GDPR: seeking consent for processing personal data
- GDPR: sharing medical information
- GDPR: sharing safeguarding information
- GDPR: template record of processing activities
- GDPR: using apps and online services with pupils
- Help your staff understand the GDPR: posters and handout
- How to choose which ‘lawful basis’ to use under the GDPR
- How to comply with the General Data Protection Regulation
- How to respond to subject access requests in the summer holidays
- Information audit: template
- Parents' right to see their child's educational record
- Poll results: how is the DPO role taking shape?
- Poll results: who are schools choosing as their data protection officer?
- Pupil records: transferring to other schools or providers
- Recording and managing consent under the GDPR
- Requests for information: guidance and template record
- Requests from parents to see pupils' information: FAQs
- Schools' reporting requirements
- 'Special category' data under the GDPR
- Subject access requests: guidance and template forms
- Taking and displaying pupil photos and information
- Taking documents home: securing personal data
- The General Data Protection Regulation explained
- QuickRead: The General Data Protection Regulation (GDPR)
- The role of the data protection officer (DPO)
- Using personal devices: securing personal data
More from The Key

Pupil mental health: deepening understanding
Are you looking to deepen your staff's understanding of mental health, including anxiety, depression, self-harm and suicidal ideation? Safeguarding Training Centre has the resources you need.
Evidence-led training courses that make it easy to upskill staff, anytime, anywhere.
CPD Toolkit is the most effective way to virtually deliver evidence-led training and support the professional development of your staff. Downloadable courses and online 5-minute summaries provide flexibility for training, whether staff are participating as skeleton staff in-school, via video call or individually at their own pace.
- In the news: Your weekly round-up for 8 - 15 January 2021 15 Jan 2021 08:00
- In the news: Your weekly round-up for 1 - 8 January 2021 8 Jan 2021 08:00
- Need-to-know: DfE publishes partial closure guidance 7 Jan 2021 16:36
- In the news: Your weekly round-up for 11 - 18 December 2020 18 Dec 2020 08:00
- Need-to-know: Have your say on changes to Keeping Children Safe in Education (KCSIE) 11 Dec 2020 08:47
The Key has taken great care in publishing this article. However, some of the article's content and information may come from or link to third party sources whose quality, relevance, accuracy, completeness, currency and reliability we do not guarantee. Accordingly, we will not be held liable for any use of or reliance placed on this article's content or the links or downloads it provides. This article may contain information sourced from public sector bodies and licensed under the Open Government Licence v3.0.