Are you prepared for the GDPR?

Commercial Article

27 September, 2017

The General Data Protection Regulation (GDPR) will come into force in the UK from 25 May 2018 and will apply to all 'controllers' and 'processors' of 'personal data'. The education sector holds vast amounts of personal data relating to its employees, students and pupils who are processed into the system, amongst others who are contracted through the schools. It is advisable to become familiar with these provisions at an early stage.

The GDPR's underlying principle is to elevate the significance of transparency between the individuals and the data controllers/processors. The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA. The GDPR provides the following rights for individuals:

  1. The right to be informed - transparency over how personal data is to be used.
  2. The right of access - If an access to personal data request is made, this must be provided free of charge. There are exceptions where a 'reasonable fee' can be charged i.e. where the request is excessive or repetitive.
  3. The right to rectification - there is a right to have personal data rectified where it is inaccurate or incomplete. You must also inform third parties to whom personal data has been provided of the rectification where possible.
  4. The right to erasure - otherwise known as the "right to be forgotten" which allows an individual to request the deletion and removal of personal data where there is no compelling reason for its continued processing.
  5. The right to restrict processing - the restriction/block/suppression of processing personal data is similar to the rules under the DPA.
  6. The right to data portability - allowing an individual to obtain and reuse their personal data for their own purposes across different services.
  7. The right to object - an individual may object to processing of personal data on "grounds relating to his or her particular situation."
  8. Rights in relation to automated decision making and profiling - safeguards individuals against the risk that a potentially damaging decision is taken without human intervention.
  9. Explicit consent -explicit consent must be sought from the individual, where necessary, and they must understand that they have the right to withdraw this consent at any time.
  10. Reporting requirement - the GDPR requires that any breach is reported within 72 hours of becoming aware of it to the supervising authority. Failing to notify within this time frame could result in a fine of up to 10 million euros or 2% of your global turnover.

Ultimately HR policies and procedures, existing contracts and privacy notices will need to undergo a thorough review in relation to data protection to ensure that personal data is being processed within the boundaries of the GDPR within any educational institution.

Overall, employers should be thinking about:

  • Keeping a clear record of data processing activities, including consideration of whether it is necessary to obtain consent in certain circumstances and if so, how and when consent was obtained;
  • Procedures to ensure compliance with the strict 72 hour reporting requirement so as to avoid any hefty fines; and
  • Consider what training employees will require to ensure that they are aware of the GDPR and how to comply with the rules to ensure that the risk of breach is reduced, to mitigate consequences if there is a breach and to ensure employees are trained properly to perform their role.

If you are looking for any more information with regards to our services view our Education section. You can also contact Ruth Rule-Mullen in our Education department via email or phone on 01772 220195. Alternatively send any question through to Forbes Solicitors via our online Contact Form.


04 Feb 2019



'Alexa, Buy More Stuff' - Why Convenience Cannot Trump Consumer Law

Consumer habits are changing. That should be obvious to even the most casual observer. High Street footfall…

Read the article

Your knowledge shone through and, in general, you have always shown a professionalism when dealing with any issues that we task you with.

More clients

Forbes Solicitors delivers 'fast response times' and demonstrates 'impressive industry knowledge'.

2018-19 edition Legal 500

More clients

I can honestly say I am extremely impressed with everything Forbes have done

Suzy Orr
Unique Ladies Network

More clients

Your quality of work, attention to detail, communication and general all round enthusiasm has been greatly appreciated as I have often become quite overwhelmed when reviewing them myself.

Stephen Gibson
Operations Director
Ecompli (UK) Ltd

More clients

Very thorough and precise with each contract and have made it very easy for us to feel very confident going into new territories, whether it being a different country or a different manufacturer.


More clients

Have dealt with several staff at Forbes. Always very clear, professional and approachable. Happy to recommend them and will use again.


More clients

John brings a high level of expertise which we're sure will benefit our members.

Andrew Hamilton
Training Manager
NWL Chamber of Commerce

More clients

Forbes Solicitors have acted on behalf of WEC Group Limited for many years providing advice on a range of matters including Corporate & Restructuring and Commercial Property.

Wayne Wild
WEC Group Limited

More clients

John provides practical and concise advice and support in a professional and timely manner.

Gavin Birchall
Dose Design

More clients

Thanks John, your services have been impeccable and as such I will have no hesitation to recommend both your services and those of Forbes Solicitors.

Gill Bond
GM Bespoke Events

More clients

Make an enquiry