7 GDPR Tips You Need to Know

March 7th, 2018

You will no doubt be aware of the up and coming General Data Protection Regulations (GDPR) which come into effect on 25 May 2018.

Octavo have come up with 7 simple steps to ensure you are on the right path to be compliant:

  • Make sure all staff are aware of the regulations
  • Understand where your personal and sensitive data is kept (see below for a description of personal and sensitive data)
  • Understand whether you are a data controller or a data processor (see below for description)
  • Make a list of who has access to the data
  • Clarify what relationships there are regarding the data. e.g. you may have SIMS and you may use another tool to extract information
  • Do your research – make sure any third party companies you use will be GDPR compliant by 25 May 2018
  • Please remember that it is the data controller that makes the contract with the data processor. This means the controller must set out how they wish the data to be processed.

Important Definitions

Personal data

This is the definition taken from the European Directive:

‘Personal Data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;’

Sensitive data

  • Racial or ethnic origin
  • Political opinions or persuasions
  • Religious beliefs or other beliefs of a similar nature
  • Trade Union membership or affiliation
  • Physical or mental health or condition
  • Sexual life
  • Commissioned or alleged commission of offenses
  • Any proceedings for any offence, committed or alleged, including any sentencing decisions made by the Court

Data Controller

A person who determines purpose/manner in which any personal data is processed.

Data Processer

A person who processes the data on behalf of the Controller.


Octavo will be integrating advice and support on GDPR related issues within all the work we carry out in schools. 

We are not planning to offer a ‘standalone’ Data Protection Officer service and instead, our recommendation is to select a Board member/ Governor / School Business Manager/ Company Secretary/ LA representative who has sufficient independence from the school to be able to provide an independent perspective. This is likely to mean collaborating with another school and we would be pleased to support our SBM forum members in this role for each other’s schools.  

For more information and guidance visit ico.org.uk.