Groupcall Blog – ...latest product updates, events, trends and industry news.

The 4 biggest myths around GDPR for schools

Written by Henry Kilshaw | May 15, 2018

With the GDPR deadline just days away, we’re still hearing a number of unfounded fears from schools about what will actually happen on the 25th of May. For the most part, we’ve been able to fully allay those fears through our training sessions and videos, but there is still some misunderstanding out there.

Here are some of the biggest mistruths we’re hearing about the GDPR for schools, and some useful advice to help you through the rest of your compliance journey.

1. GDPR is a point in time

As we know, the General Data Protection Regulation was enacted in 2016 and comes into force on 25 May. While this is obviously the date where enforcement can start to take place, being compliant with the GDPR is an ongoing process and as much about the systems you have in place and your ongoing training as it is about a hard deadline.

2. Big fines are coming

Speaking of enforcement, a lot has been made of the potential fines that accompany the GDPR legislation – a mammoth €20 million, or 4% of annual global turnover – whichever is higher.

The bit you have to remember is fines have to be ‘effective, proportionate and dissuasive’. The reality is there is little public interest in fining a school when the reputational damage of a data breach would more than likely be sufficient punishment.

Not that the ICO are big finers anyway. In 2016/2017, the ICO concluded 17,300 cases for data breaches, with a grand total of 16 resulting in fines. As scary as the potential fines are, it would have to be an especially awful, negligent breach for fines to even be a possibility for a school, and even then, it is unlikely.

3. All data breaches must be reported

A number of you have been concerned about the new rules around data breaches – namely that data breaches have to be reported to the ICO within 72 hours.

There are a few misconceptions to clear up here. Firstly, the 72 hours only begins once you find out about the breach, not from when the breach happens. The ICO clearly doesn’t expect you to report things you don’t know about but having a robust data protection system in place will mean that you should find out about any breaches quickly anyway.

Secondly, you don’t have to report ALL breaches to the ICO, just those that might result in a risk to a person’s rights and freedoms. This can be a tricky line to judge, however the ICO are more than happy for you to use their live chat function or give them a quick call to see if you need to make a formal report. For an enforcement agency, the ICO are surprisingly helpful and understanding if you’re trying to do the right thing.

The fact is, things ARE going to go wrong for most schools at some stage, these things happen! However, the more robust your systems and training and the better you’ve prepared, the less the impact will be. In any case, you should always keep a record of data breaches whether you report them or not.

4. Everybody can enforce the right to be forgotten

Several schools have shown concern about the ‘right to be forgotten’ element of GDPR. The belief is that pupils or parents could come in and ask for all of their data to be erased, and a school would have to comply. While the right to be forgotten has been strengthened under GDPR, it is important to note that they can ONLY do this if you don’t have another lawful basis for keeping the data. For example, secondary schools must keep most student records until the child turns 25 and this is a legal requirement. GDPR doesn’t stop this retention from happening.

As it is entirely possible you will get erasure requests, it is important to have a policy in place for how you will deal with them. This means you’ll need to know exactly where everything is.


Hopefully this has cleared up a few of the common misconceptions around GDPR for schools. GDPR compliance is a journey rather than a destination, and for most schools it will be a reaffirmation of the things you’re already doing well around data and safeguarding.

Don’t panic – the deadline might be coming fast, but there are plenty of ways Groupcall and GDPRiS can help get you ready with over 800 education suppliers already mapped and ready to go. 

Find out more about GDPRiS>>