Academies will need to gear up for the General Data Protection Regulations (GDPR) that take effect from May 2018.

The GDPR replaces the existing Data Protection Act and extends the rights of individuals over the use of their personal data.

Non-compliance with the new rules can result in fines of up to 2% of an academy’s annual income (capped at €10M), with data breaches generating fines of up to 4% (capped at €20M).

Schools will need to record what personal and personally sensitive information they hold in manual and electronic files, along with details of management responsibility for that data, and their policies on storage and deletion.

A risk assessment will be required where the processing of information is considered to be on a large scale or risky. Although further guidance is awaited on this, it is thought that whilst individual schools may not be affected, multi-academy trusts (MATs) will be as the data controller for all their schools.

Schools will also need to record how and when they obtained consent for the information they hold from the individuals concerned. Those individuals can withdraw their consent at any time, unless there is a legal requirement to keep it. Privacy notices will have to make clear why the data is required and how it is stored and processed.

Any breaches of information will have to be reported within 72 hours, and schools will have to ensure they have a plan for managing and containing such a breach, including what assistance will be offered to those individuals affected.

Any failure by schools to comply with the GDPR rules can result in both a fine and an investigation by the Information Commissioners Office (ICO).

Action plan

Schools and MATS will need to appoint a Data Protection Officer to raise awareness of the new regime. A review should also be undertaken on what information is actually held, who is responsible for it, how it is processed and any risks associated with processing.

There will be technology issues to consider here, in that dated operating systems that are no longer supported will be viewed as incompliant and in need of an upgrade. Schools that do not have the expertise to manage their IT security will have to seek outside assistance.

As there is now less than a year before the new regime becomes law, the sooner academies start to consider how to address the GDPR, the more prepared they will be.

Even though at the moment no additional government funds have been allocated to help schools prepare for the GDPR, the risk of penalties for not complying will concentrate the minds of data controllers.

Major companies such as Microsoft and Google already offer cloud-based services that can encrypt stored information, to make sure it cannot be used if stolen. Moving to a cloud-based system could also free up internal resources.

The ICO has an area on its website with more information. It has also published a 12-step guide on steps to take.

If you would like to discuss these issues further, please contact a member of our Academies team.


Related Services & Sectors



Bishop Fleming is one of the UK’s leading accountants to the academy school sector.

Read More

Audit & Assurance

Guiding you through the audit process to give you meaningful insight into your business.

Read More

Payroll for Academies

Specialist services for academies schools

Read More
The logo for Kreston International Investors in clients logo British accountancy awards finalist 2016 logo ICAEW logo Sunday Times Top 100 Best Companies 2018 logo