Data Protection Guidance: Toolkit for Schools

Get Compliant. Stay Compliant.

Data Protection Guidance:
Toolkit for Schools

Data Protection Guidance:

Toolkit for Schools

The UK GDPR and Data Protection Act 2018 provide a new opportunity for schools to review their current data protection, information security and privacy practices. We understand that schools will be at different stages in their preparation and implementation of data protection compliance.  So, with this in mind we have designed our guidance to provide sufficient supportoutline how to implement key tasks and provide and council for schools when considering how to achieve data protection compliance.  

Understanding Data Protection Compliance

Within a school, there are all sorts of job roles that utilise personal data for a variety of reasons. Some staff will be responsible for ensuring they simply use it responsibly, others will be making significant decisions about what data is used, how it is processed and stored and who it is shared with and how. As such, it is likely that a ‘one size fits all’ approach to staff training will not work. 

Top Tip

Link data protection to safeguarding children (and child protection) when trying to get people engaged. In this way, all staff see that data protection matters in the 12 context of pupil welfare. However, the rights of individuals are also key and start people thinking about gaps in current practice

GDPR Action Plan

One approach is to begin with a session to complete 3 columns of a table: data sent to the school from someone else (for example, a local authority admissions team), data created within the school and data passed on from the school to someone else. This information can then be discussed and tested with staff to identify any gaps in the and build confidence that everything is captured. 

Top Tip

Make sure the people who will be using the information are consulted on the practical implications. Consider the potential future uses of the information collected, even if it is not immediately necessary.

Asset Register 

Data Protection Officers assist organisations to monitor internal compliance. They inform and advise senior leadership and the workforce on your data protection obligations. By providing advice regarding Data Protection Impact Assessments (DPIAs) they also act as a contact point for data subjects and the supervisory authority the ICO. The DPO must be independent, adequately resourced, report to the highest management level and be an expert in data protection. 

Compliance Direct Solutions provides the most manageable and affordable route to compliance.
Top Tip

We provide a FREE no obligation quotation specific to your individual needs. Get in touch now — available 9am to 5pm.

Penetration Testing​

Our penetration tests will provide your school with:

  • A ranked list of identified vulnerabilities in priority order (point in time analysis)
  • The likelihood and probability of the exploitation of your current vulnerabilities
  • A series of actions or mitigating steps to resolve or reduce the vulnerability

Internal Penetration Test – This type of tests is designed to simulate attacks to internal systems and networks as if performed by a malicious insider or an external attacker who has already successfully penetrated the perimeter defences.

External Penetration Test – Our testers will mimic the behaviour of a hacker.  We aim is to identify and exploit vulnerabilities found in the external facing systems and services, such as email servers and remote access terminals. 

Web Application Penetration Test – These tests are aimed at individual web applications to assess the security level and posture of the web application itself. 

Vulnerability scanning – Great for regular and systematic testing. Low-cost high frequency testing to inspect the potential points of exploit on a computer network to identify areas of concern. A vulnerability scan detects and classifies weaknesses in a network and predicts the effectiveness of countermeasures that we put in place to prevent a malicious attack. 


We have created a downloadable documentation which may be used as an informal guide. This means that while Compliance Direct Solutions Ltd are confident the document is factually correct and adds value in achieving its aims of supporting schools to better manage data protection, please don’t use it to make a business decision without prior consultation. We will maintain it as a ‘living document’ which can be updated continually to accommodate relevant changes within the UK Data Protection Act 2018 & GDPR.  

With this document CDS advise that you: 

  • Implement annual external consultant led impartial data protection audits  
  • Have a single point of contact (Data Protection Officer)  
  • Keep & maintain an audit trail of all data protection compliance measures & safeguards.
  • Always check this page for the latest version of the document.