What is GDPR?

In the UK, GDPR will replace the Data Protection Act 1998, which was brought into law as a way to implement the 1995 EU Data Protection Directive. GDPR seeks to give people more control over how organisations use their data, and introduces hefty penalties for organisations that fail to comply with the rules. It also ensures data protection law is almost identical across the EU.

At the moment, the Data Protection Act 1998 (‘DPA 1998’) applies to the way schools and trusts handle personal data.  Most schools and trusts will be familiar with the general requirements of the DPA 1998, for example, the circumstances when they can disclose personal data and what to do if a person submits a subject access request.

From May 2018, the DPA 1998 will be replaced by the General Data Protection Regulation which is often referred to as the ‘GDPR’.  Although many of the principles remain the same as the DPA 1998, there are some important changes which affect the way we process data.

In general terms, the GDPR places more emphasis on transparency, accountability and record keeping.

Why do we need it?

The update to Data Protection legislation in many ways is long overdue as the 1998 Act pre-dates Facebook, Twitter and all social media. It is hard to remember, or believe, that in 1998 mobile phones were limited to making and receiving calls, and text messaging that was charged by each character. Email was being used, but not every organisation had email addresses and hard copy documents were the mainstay of storage and records.

iPhones, Blackberry’s, smart phones, tablets were yet to come. Access to the internet was limited and actually required a physical dial up. There was no 3G or wireless hotspots for casting communication and Google went live in 1998 - the same year as the DPA.

The Data Protection Act was fit for purpose then, but all of the changes in the last 19 years mean that a new framework is now essential.

Compliance with the Data Protection Act principles in the UK is largely the responsibility of the Information Commissioner. The Information Commissioner’s Office (ICO) is the regulatory and supervisory authority.  The ICO has the ability to provide advice, undertake audits, access information, impose sanctions and penalties.

What does this mean for Schools?

Schools process a lot of personal data relating to pupils and staff in order to carry out its functions.  They also acquire personal data relating to other people including, for example, parents / carers, local governors, trustees, members of the local community, suppliers, contractors and consultants. It is therefore important that all schools ensure they handle personal data carefully and legally.

Data Protection Officer (DPO)

Please find below details of Burhill Primary School’s Data Protection Officer: -

Data Protection Officer: Craig Stilwell

Address: Judicium Consulting Ltd, 72 Cannon Street, London, EC4N 6AE


Telephone: 0203 326 9174


Page Downloads Date  
CCTV Policy 05th Jul 2022 Download
Data Breach Policy 04th May 2022 Download
Data Protection Policy including SAR Appendix 04th May 2022 Download
Data Retention Policy 04th May 2022 Download
Freedom of Information Policy and Publication Scheme 04th May 2022 Download
Privacy Notice for Governors and Volunteers 04th May 2022 Download
Privacy Notice for Visitors and Contractors 05th May 2022 Download
DfE Privacy Notice for School's Daily Attendance Data Collection 20th Jul 2023 Download
Back to Top