GDPR resource hub
GDPR compliance trackingCompliance Tracker is free with membership of The Key. Store evidence of the steps you’ve taken to become compliant, read a breakdown of everything the law requires you to do, and get email notifications to help you stay on top of your to-do list:
Are you DPO for your school or trust?
Join more than 1,000 members who are already part of The Key's DPO network. You'll be the first to know about new resources and get exclusive insights into what other DPOs are doing from our polls and case studies:
Please note: we're currently updating our model data protection policy and privacy notices, and some of the other articles listed below, to reflect more recent guidance from the Information Commissioner's Office on provisions in the Data Protection Act 2018. Subscribe to updates for any articles you're interested in by clicking 'save for later' at the top of the relevant article page.
Understanding the GDPR
- The General Data Protection Regulation explained
This article will help you get to grips with the key points of the legislation.
- How to comply with the General Data Protection Regulation
Here are the actions you need to take to get your school compliant with these reforms.
- Jargon buster
The world of data protection is filled with jargon and technical terms, but our GDPR glossary makes it accessible for you.
Avoid the scaremongering - use our mythbuster to separate the fact from the fiction when it comes to visitor books, photo archives, fines, consent and more.
Seeking consent to process personal data
- The Key's guide to consent (with template consent forms)
Use our process to work out whether you need to seek consent. If you do, use our template forms for the most likely situations for schools.
- Taking and displaying pupil photos and information
Use this advice to work out your lawful basis and learn how to seek consent where necessary.
- At what age can pupils give consent?
The GDPR doesn't define an age. Read this to get to grips with good practice advice and the requirements outlined in other guidance.
- Managing consent under the GDPR
Guidance and top tips to help you manage your consent procedures efficiently, and examples of how two schools collect and record consent.
- GDPR: managing your photo archives
Figure out what to do with your old photographs of pupils and staff with the GDPR in place.
Updating your staff
- We summarise the GDPR in just one page, which you can download as a ready-made resource to share with colleagues.
- 10-minute briefing for staff
Available now on CPD Toolkit: ready-made training resources that you can use to update your team about the GDPR. (simply sign up for a free trial).
Is your board up to speed?
Governors and trustees can access the resources they need on The Key for School Governors.
Identifying what data you hold and why
- Information audit: template
Use our downloadable audit template, which includes school-specific prompts, to help you identify what personal data you hold.
- How to choose which ‘lawful basis’ to use under the GDPR
Use the process in this article to work out which of the 6 lawful bases to use to justify each of your data processing activities.
- Special category data
Some data is classed as 'special category', meaning it's sensitive and needs more protection. Find out what kind of data is defined this way, and the conditions for processing it.
Appointing your data protection officer
- The role of the data protection officer (DPO)
Under the GDPR, schools must appoint a data protection officer. Read about the duties of the role and download our template job description.
- Data protection officer: who can it be?
Read on for our experts’ recommendations on who to appoint, depending on your context.
- Poll results: who are schools choosing as their data protection officer?
We asked 1,000 of our school leader community how their schools are responding - let them help you to make a call on your DPO.
Reviewing your processing procedures
- Data protection policy and privacy notices: models
Download our GDPR-compliant model data protection policy and privacy notices, approved by Forbes Solicitors, and adapt them to your school's setting.
- Ensuring your suppliers are compliant with the GDPR
Use our checklist and template letter to carry out the required due diligence.
- Subject access requests: guidance and template form
Use this guidance and our template form to help you comply with subject access requests.
- Personal data breach procedure and poster
Download our model procedure for use in the event of a data breach at your school, and our poster to ensure your staff know what to do.
Practical advice on the nitty-gritty of the GDPR
- The rules around contacting parents
- Taking documents home: securing personal data
- Template record of processing activities
- Getting GDPR-compliant across your MAT
- Data protection impact assessments
- Email security: sending personal data
- Using personal devices: securing personal data
- What your PTA needs to do to comply with the GDPR
- GDPR for schools' commercial activities
- GDPR: using online services in school
For more answers, go to the data protection section of The Key.
More from The Key
Covering topics including differentiation, assessment, SEND and growth mindset, CPD Toolkit has been created by subject experts and tested by teachers to guarantee practical, engaging training that's also excellent value for money.
The Key has taken great care in publishing this article. However, some of the article's content and information may come from or link to third party sources whose quality, relevance, accuracy, completeness, currency and reliability we do not guarantee. Accordingly, we will not be held liable for any use of or reliance placed on this article's content or the links or downloads it provides. This article may contain information sourced from public sector bodies and licensed under the Open Government Licence.