Data Protection

GDPR in schools

A personal touch to achieving compliance

Who can be my Data Protection Officer (DPO)?

This can be anyone who has no strategic or operational decision-making role with regards to data and data systems in your school. It doesn’t have to be a member of your own staff.

Examples of roles that are likely to not be able to be your DPO include the Headteacher, School Business Manager, Data Manager, IT Manager and most other senior leadership roles.

How We Can Help

As an education provider, you have a responsibility to protect your students, staff and school. However, the responsibility isn’t just with protecting the physical form – it also comes down to the protection of any information or data you hold about said individuals and how it’s managed and controlled within your environment.

SchoolPro TLC provides the role of Data Protection Officer (DPO) as a service for schools to demonstrate an enhanced level of data protection compliance to the Information Commissioner’s Office. Our DPO Service is intended to assist schools and multi-academy trusts (MATs) in complying with the requirement to appointment such a role with the responsibilities set out in the Data Protection Act 2018.

Our staff are experienced school leaders so understand the data flows and need for data in different areas of the school. Our support as DPO includes a free online recording and reporting system for all relevant GDPR information, so you don’t have to pay additionally for another expensive system.

We also provide a great deal of functions compared to some other purchased services, including completed Data Privacy Impact Assessments and compliance checking of supplier data privacy agreements.


Download our Data Protection Service overview:

Data Protection Officer Service for Schools

How It Works

Our delivery of the Data Protection Officer role shall include:
  • Providing advice and guidance when required
  • Supporting and monitoring the maintenance of data records
  • Drafting data policies and procedures
  • Providing training for employees
  • Acting as the first point of contact with authorities
  • Supporting the management of Subject Access Requests and those under the Freedom of Information Act 2000
  • Supporting the management, including investigation, reporting and review, of data breach incidents
  • Conducting an internal audit of your data processes up to twice a year
  • Providing you with access to our specifically designed Data Protection Portal
What are the advantages of outsourcing the DPO role for my school?

Access to high-levels of expertise and banks of resources. It also gives you an impartial view of your systems, processes and practice. In the event of a data protection incident, impact on the day-to-day running of the school will be minimal as school staff can continue to carry out their roles. It is likely that this will also be a more cost effective approach than using an existing member of staff when compared to additional non-contact time, training and, possibly, a TLR. The support is also available outside normal school working hours and during the school holidays.

A Cost Neutral Solution for GDPR in Schools

Our DPO service is cost-neutral compared to other, alternative solutions. For a school to appoint their own DPO, they will need to fund training for that individual and give them time to complete the role effectively. They will possibly also need to provide a financial incentive (such as a TLR) to them. Our experience and knowledge base (as well as economies of scale due to working with hundreds of schools) allow us to dramatically cut down these costs as well.

For example, a school senior leader earning £50k p.a. who is given an hour a week across the year to complete their DPO work is costing a school at least £2k which is more than our most expensive rate.

Subject Access Requests - Our Guidance for Schools, Colleges & Trusts

Data Protection Audits

One of our DPOs will carry out audits to provide an assessment of whether you and your school are following good data protection practice. The audits will look at whether they are following your policies and procedures and make recommendations for improvements, including any new guidance from the ICO. The audits can be undertaken alone or in conjunction with your DPO.

Data Protection Portal

In line with the Data Protection Act 2018 and in conjunction with the ICO published audit reports from MATs, we have designed a portal that enables schools and MATs to hold and log all relevant data protection information in one place. This includes all of our policy and document templates as well as the logging and reporting of data breaches, subject access requests and data decisions. All school-specific documents are hosted here including audit reports and all logs are also easily downloadable for review at governor or trustee level.

    The portal is split into eight distinct sections:
    • Audits – audit your school against the ICO’s accountability framework. Create a RAG-rated development plan with actions for Amber and Red expectations in order to create the plan to fully meet all expectations over time.
    • Breaches – log and report on any data breaches that may occur in your schools.
    • Subject Access Requests – log and report on any subject access requests that may occur in your schools.
    • Data Decisions – log and report on any data decisions made where data is processed in such a way that could create risks to the rights and freedoms of individuals, or it involves special categories of data. It can also be used to log incidences of one-off data sharing.
    • Data Map – identify what categories of data are processed, the purpose for which are they are processed, the legal basis for processing, where they are held, how they are obtained and who they are shared with.
    • Data Processors – identify which data processors your school shares data with, which data categories are shared, whether the processors are compliant with the UK GDPR, and what security and retention periods are in place with them.
    • Global Documents – access and download all of our supporting material for data protection including policy templates, training resources, privacy notices, retention schedules and data protection impact assessments.
    • School Documents – access and download any school-specific documents once completed such as audit reports and your data maps.

    Our online tool is hosted and secured on servers located in the UK. Our systems and processes anonymise all data where possible so it is not personally identifiable and we have a regular routine for deletion of any identifiable information.

    Data Protection Training / CPD

        Aims of this session are to:
        • Develop an understanding of the statutory responsibility to monitor and evaluate data processing within your setting
        • Develop a greater awareness of the potential pitfalls
        • Share good practice in relation to data protection using case studies from schools we currently work with
        • Raise awareness of how data protection is everyone’s concern

        All of our CPD sessions can be delivered to a whole staff body or we offer bespoke sessions for different groups of staff, for example governors, senior leaders, admin, SENDCO, new starters, or as refresher training. Here is an example of our Data Protection Training for SENDCOs and DSLs.

          The aim of the session is to:
          • Develop an understanding of the statutory responsibility to monitor and evaluate data processing with specific focus on SEN and Child Protection (CP) pupils
          • Develop a greater awareness of the potential pitfalls of processing SEN and CP data
          • Share good practice in relation data protection using case studies from schools we currently work with
          • Raise awareness of the retention schedules for SEN and CP data

          Our CPD sessions are delivered on site with staff, so they can fully engage and ask questions that are directly relevant to school staff and their specific role. As we are experienced school leaders, we do understand the need for all roles in school, so our advice and guidance is education- and role-specific.

          Whole staff sessions run for about an hour, other bespoke sessions can vary in length depending on need. Where INSET time does not allow for one of our sessions, we will provide materials for all content and keep you informed of any relevant updates.

          As we don’t want to hold too much personal data, we do not hold lists of names of staff that attended courses but we will record when school training took place and the content delivered.

          We have also recently launched our online training platform. You can purchase courses for individual members of staff in our shop or use the link below to purchase group licences for your whole school. Our training platform hosts role-specific training courses including:

          • Data Protection for Education Staff
          • Data Protection for Child Protection Leads
          • Data Protection for Governors/Trustees (maintained schools and standalone academies)
          • Data Protection for MAT Governors/Trustees
          • Data Protection for Lunchtime, Cleaning and Site Staff
          • Data Protection for School Administrators

          Courses typically take an hour to complete and can be used as annual refreshers for staff. Staff will receive a SchoolPro TLC Ltd certificate upon completion.

          For more information and to order licences, click below:

          Please note – access to our online training platform is FREE for organisations that are signed up to our Data Protection Officer service.

          Frequently Asked Questions

              How often will you be onsite?

              You can expect to see your DPO twice a year for routine visits (audits and training) but they will also be available whenever needed in the event of a data protection incident.

              Will I get remote support when they are not onsite?

              Yes, your DPO will be available via phone and email when not visiting your site. You will also have access to our online portal for reporting breaches and subject access requests, logging data decisions and downloading document templates.

              What about school holidays?

              Our DPOs will be available to provide support both during term-time and during the school holidays.

              We provide all schools with a data sharing agreement to include necessary guarantees about data.

              Customer Stories

              Our Schools, Colleges and MATs


              Data Protection Services

              £890 (+ VAT) to £1200 (+ VAT)
              dependent on size

              Annual Subscription


              Full Data Protection Officer Service Comprising:


              • Access to our online Data Protection Portal
              • Annual site audit
              • Annual training (onsite or online)
              • Phone support
              • Data processor compliance checks
              • Breach and subject access request support
              • Support for document writing including policies, privacy notices and DPIAs
              • Named contact person


              Get A Quote

              £590 (+ VAT) to £890 (+ VAT)
              dependent on size

              Annual Subscription


              Core Data Protection Officer Service Comprising:


              • Access to our online Data Protection Portal
              • Biennial site audit
              • Annual online training
              • Phone support
              • Data processor compliance checks
              • Breach and subject access request support


              Get A Quote

              £450 (+ VAT)

              Annual Subscription


              Remote Data Protection Support Service Comprising:


              • Access to our online Data Protection Portal
              • Annual online training
              • Breach and subject access request phone support


              Sign Up Here!

              From £350 (+ VAT)

              One-Off Payment


              Onsite Data Protection training to suit the needs of your school, college, MAT or other education organisation. This could include one of the following:


              • Annual Data Protection refresher training for all staff.
              • Data Protection Training for leadership teams.
              • Data Protection Training for MAT central teams.
              • Data Protection Training for Data Protection Leads.
              • Data Protection Training for Governors/Trustees.


              Purchase Here!

              £550 (+ VAT)

              One-Off Payment


              Data Protection Audit against the ICO’s accountability framework including:

              1 – Leadership and Oversight
              2 – Policies and Procedures
              3 – Training and Awareness
              4 – Individuals’ Rights
              5 – Transparency
              6 – ROPA and Lawful Basis
              7 – Contracts and Data Sharing
              8 – Risks and DPIAs
              9 – Records Management
              10 – Breach Response and Monitor

              The audit produces a RAG rated development / action plan against expectations in each of these areas.


              Purchase Here!

              If you’d like to discuss how we can provide you with a Data Protection Officer, arrange a conversation with us today.