The GDPR contains new provisions intended to enhance the protection of children’s personal data

What GDPR means to you

What are the specific challenges to your sector?

How we can help

Achieve Compliance with the GDPR123 Framework

Want more information?

Contact us to discuss your specific business requirements

Specialised GDPR services for Children’s Services and the Education Sector


The GDPR contains specific rules designed to strengthen the protection of children’s personal data. It restricts the age at which data subjects can lawfully give consent, introduces rules for the language used in consent requests targeted at children and regulates the way online services obtain children’s consent.

There are several child-specific provisions in the GDPR, particularly in relation to grounds for processing and notices. These include:

  • Children are identified as “vulnerable individuals” and deserving of “specific protection”.
  • If services are being offered directly to a child then privacy notices and other related information must be written in a clear, plain way that a child will easily understand.
  • Where online services are provided to a child and consent is relied on as the basis for the lawful processing of his or her data, consent must be given or authorised by a person with parental responsibility for the child. Children cannot give consent themselves. Organisations must also make “reasonable efforts” to verify that the person providing that consent is indeed a parental figure. In the UK this requirement applies to children under the age of 13, although this differs across the EU member states and in some it applies to children under the age of 16.
  • Data controllers don’t however need to seek the consent of parental figures when the processing is related to preventive or counselling services offered directly to the child.

Most consent requests for children are likely to be for online services. The GDPR says the reason for these child-specific rules is because children “may be less aware of the risks, consequences and safeguards” of handing over their personal details. This is particularly the case with services offered directly to a children, and when their personal data is used for marketing purposes and creating online profiles.

Schools and other Education Organisations:

Arguably the most important aspect of GDPR for schools is the provision for processing the personal data of children, considering they are identified in GDPR as ‘vulnerable individuals’ and deserving of ‘specific protection’.

Under GDPR, Schools are considered ‘Data Controllers’ and therefore have responsibilities and obligations for ensuring the information held on individuals is handled correctly and is secure to protect individuals from having their data disclosed to people and organisations who have no right to access that information.

The kind of data schools are likely to collect, and therefore need to be wary of, include large amounts of personal data on members of the school community. This might include names, addresses, contact details, legal guardianship contact details, disciplinary records, academic data such as class lists and exam results, professional records of employment history, taxation, national insurance records and appraisal records.

In addition to this there can be an amount of highly sensitive data that a school may hold, including health records (potentially including biometric and genetic data collected from things such as fingerprint-based cafeteria access or library authorisation), classification of ethnicity, and religious indicators.

The key decision-makers in every school need to understand the changes that are being introduced under the GDPR and how that will impact their organisation. A detailed assessment needs to be undertaken to determine what changes will be required in order to be compliant with the new laws. Policies and procedures may need to be updated and IT security systems may need to be strengthened.

Another major change for Schools and child-care organisations is that the GDPR mandates that each school will need to appoint a Data Protection Officer (DPO) and implement on-going monitoring to ensure continued compliance (unless part of a group of schools and academies run by a Trust where the Trust will need a DPO instead, or in Scotland where the Local Authority is responsible for providing DPO services to the schools.). The DPO can be a member of staff or someone from outside the organisation – there are no formal qualifications required but the DPO has to meet certain criteria, which includes but is not limited to:

  • Training staff who are involved in data processing
  • Educating the school and its staff on data security and compliance requirements
  • Conducting audits to ensure compliance and address potential issues
  • Being the point of contact between the school and the Information Commissioners Office (ICO)
  • Monitoring performance and providing advice
  • Maintaining comprehensive records of all data processing activities
  • Connecting with data subjects or parents to inform them about: how their data is being used; their rights to have their, or their child’s personal data erased; the measures in place to protect their, or their child’s, personal information

The DPO will also need to liaise with the school leadership team to consider how they interact with any other organisations – anyone they come into contact with that handles their schools’ data.

Schools ultimately are liable and will need their own strategies in place to ensure GDPR compliance.



Book your 15 minute consultation and speak to one of our experts who can evaluate your needs, and answer any queries you may have regarding the GDPR.

15 Minute Consultation Form

7 + 7 =



How we can help


GDPR123 are compliance experts who can guide you through the process of becoming GDPR compliant so that you can build client confidence, help you satisfy due diligence investigations as well as avoid fines and remedial actions imposed by the Information Commissioners Office (ICO).

  • Stage 1 Audit / Gap Analysis
    Your organization will be measured against the GDPR which will result in a Non-conformity report.  This is a clear set of instructions that explain what you need to do to become compliant.
  • Prepare a Legal Register and Documents
    Review/supply policies, procedures and plans.
  • Prepare a Due Diligence Pack
    Quickly turn around and satisfy Due Diligence enquiries.
  • Cyber Insurance Review
    We will ensure you have the right level of cover in place.
  • Review Web Operations
    This includes Web-based forms to ensure they obtain appropriate and affirmed consent as well as ensuring they are unambiguous.
  • Training and Awareness
    With 8 in 10 data breaches resulting from Human Error they GDPR requires organization to implement appropriate organisational measures to ensure the safeguarding of PII (Personally Identifiable Information).  This includes appropriate levels of awareness training.
  • Dealing with Brexit
    We understand the implications of Brexit and will advise you accordingly as the various stages of Brexit are implemented.
  • 72 Hour Breach Notifications
    It is important to have an appropriate and tested plan in place for data breaches.  Failure to have this in place can attract a penalty of between 2% of your global turnover or 10,000,000 Euro, or 4% of your global turnover or 20,000,000 Euro.  The fines are calculated to whichever is the greater and are purposely designed to be dissuasive.
  • Handle SARs (Subject Access Requests and Rights Requests)
    GDPR gives Data Subjects human rights in terms of their Data and with this comes their right to request the Data Controller or Data Processor to undertake certain actions.  Failure to respond to a request in time is a breach if their rights and is taken very seriously so you need to be prepared.
  • Determine and Appoint/Act as a DPO Data Processing Officer
    In some cases a DPO needs to be appointed.  We will help you determine if you need a DPO or make a recommendation if it would be advisable.

Search All Sectors


Other Sectors


Financial Services
Trade Associations
Marketing / Telesales
Charities / Non-Profit
Child Services / Education
Retail / E-commerce