What is GDPR? And how will it affect your family?

As of the 25th May 2018 the way school manages all information and data within school will change. The current DPA (Data Protection Act) will be replaced by the GDPR (General Data Protection Regulation).

GDPR is simply a new, updated data protection regulation to be followed by schools and other organisations. The new regulation has been designed to further strengthen the safety and security of data that is held by an organisation.

Harden Primary School as part of the Exceed Academies Trust is committed to being transparent about how it collects and uses data in order to meet its data protection obligations under the General Data Protection Regulations (GDPR). If you would like further information and to view our policies on GDPR please click here.

GDPR has been introduced to ensure further that personal data is protected.


GDPR is designed to do many things, of which two are most significant.

  1. It strengthens the rights of ordinary people like us, giving us back the power and control over our personal data and how it is used by those schools and other organisations to whom we provide it.
  2. It ensures that responsibility for protecting that data lies with the schools and other organisations who process it.

Pupil Privacy Notice

Pupil Consent Notice

Parent Privacy Notice


What does the GDPR Include?

GDPR follows 6 key principles…


Article 5 of the GDPR requires that personal data shall be:

  1. Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
  4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

The differences between the DPA and the GDPR…

DPA (Data Protection Act)


GDPR (General Data Protection Regulation)


Only applicable to organisations based, or operating in the UK. Applies to ANY organisation acting as a Data Controller or Data Processor whether in the EU/EEA or outside the EEA that processes the personal data of EU Data Subjects. A data subject is not just restricted to an EU Citizen, they may also be people from outside the EEA who are, when their personal data is collected, classed as resident within the EU/EEA.
The DPA doesn’t require any organisation to have a dedicated DPO (Data Protection Officer). A Data Protection Officer (DPO) shall be designated when (Article 37):

  1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  2. the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  3. the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

This means that in almost every case, a school will be required to designate a DPO however, DPO’s can be shared across organisations i.e., a group of schools could get together and appoint a single DPO.

No requirement for an organisation to remove all data held on any certain individual. The GDPR gives Data Subjects new and specified Rights (Chapter III) among which there is the Right to Erasure (right to be forgotten – Article 17). This means that data subjects can request the removal of all their personal data. However, this is not an absolute right, and their ‘Right’ may be overridden by another Lawful Basis (Article 6) such as a Legal Obligation to process their personal data.
Under DPA data collection does not necessarily require an opt-in. There are 6 Lawful Basis for collecting and processing personal data (Article 6) which are, Consent, Contractual Obligation, Legal Obligation, Vital Interest, Public Interest and Legitimate Interest of which only one need apply.

If Consent is the lawful basis relied upon, it must be explicitly and freely given by the data subject, and ‘opt-in’ must be default setting. Data Controllers are also required to record consents.

Sets aims and requirements, however, the rules and regulations are implemented by national legislation. The regulation is 100% binding for all member states from the 25th May 2018.
For many organisations, regulations breaches do not have to be reported. Article 33 of the GDPR requires all data breaches that pose a ‘risk to the rights and freedoms of the data subject (natural persons)’ to be notified to the Supervisory Authority (the ICO in the UK) within 72 hours.
Parental consent for minors not required. Parental consent for minors is required.

Under the GDPR, the UK Government has defined the age of a child as 13 and therefore, any processing of the personal data of a child is prohibited unless ‘consent is given or authorised by the holder or parental responsibility for the child’ (Article 8). Consent must be documented.

Further Information please visit Exceed Academies Trust website:

General Data Protection Regulations (GDPR)

Data Protection Officer (DPO):  Ruth Jarvis

Contact Telephone Number: 01274 086 490



Information Commissioners Office (ICO)

Contact Telephone Number:  0303 123 1113