Fewer than half of UK schools think they are GDPR compliant

Research from RM Education and Trend Micro shows that only 48% of UK schools and colleges believe they are fully GDPR compliant

New research has revealed that fewer than half of schools and colleges in the UK believe they are fully compliant with GDPR statutes.

The research, carried out by RM Education and Trend Micro, shows that only 48% of respondents from schools and colleges across the UK stated that they believe their institution to be fully GDPR compliant.


From the latest issue: How has the first year of GDPR impacted education?


Legacy systems were stated as a core challenge by 23% of respondents, with 46% citing security awareness, and 31% a lack of financial investment.

In terms of safety, 77% of respondents stated they were confident that their school or college was as secure as it could be against a data breach. However, only 71% of schools had a formal data breach response plan in place.

Steve Forbes, principal product manager at RM Education said: “One surprising finding is that 91% of schools and colleges surveyed stated that they knew where all their data resides.

“Schools and colleges process large quantities of data on their pupils, staff and suppliers, and it’s likely that data is in more places than perhaps thought.”

GDPR compliance does not sit with one role alone; and the responsibility for compliance is shared.
– Steve Forbes, RM Education

The research does suggest, however, that schools and colleges are taking GDPR seriously and that significant steps have been taken to work towards ensuring compliance.

Of those surveyed, 97% had updated their policies, 89% had increased staff training, 85% had hired a DPO (data protection officer) and 83% carried out a data audit.

However, there are some confusions about who should be responsible for GDPR compliance, as well as 38% of respondents reporting an increased IT spend as a result of becoming GDPR compliant.

Forbes said: “60% of those surveyed said final responsibility for GDPR sits with the principal or head teacher, 42% said the responsibility also sits with the DPO, and 31% said responsibility also lies with the head of IT.


Related blog: If GDPR provided the lessons, Brexit will put data compliance into practice


“GDPR compliance does not sit with one role alone; and the responsibility for compliance is shared.”

In terms of the biggest threats to data, 75% of respondents cited accidental loss by staff, and 19% said cybercriminals.

The full report can be found at rm.com/GDPR-in-schools