GDPR: 7 priorities to make your #SchoolWebsite compliant

Isn’t having customers’ trust a cornerstone to good business? Isn’t that intangible relationship with customers: loyalty, trust, repeat customers, something most companies want?
— Elizabeth Denham: Information Commissioner, ICO

The General Data Protection Regulation (GDPR) is closing in! If you have not begun to understand and tackle these new regulations, time is of the essence.

For those who are unaware, the GDPR is a set of rules all European organisations must adhere to in order to keep consumer’s personal details safe while online.  

Companies and websites will need to ensure that their websites satisfy the GDPR outlines, before May 25th, 2018. This includes any organisation based outside the EU but have customers from within it (e.g. Facebook). 

Read the ICO 12 step guide for preparing for the GDPR.

To help ensure that your #SchoolWebsite meets these regulations, we have created a checklist of actions you will need to take.

[1] Do you know what data is being captured and held?

Is your website using cookies? Are you using Google Analytics or a Facebook pixel? You will need to know the data that you a capturing - regardless if is collected by yourself or by a third-party - and have these methods clearly defined.

This can be easily solved by having a privacy policy page, where this information is written. The privacy policy should state:

  • what data is captured
  • when it was captured
  • what the data is used for
  • details of any third-party tool used for data capture
  • the process for a user to request their data to be permanently deleted

[2] Do you know when and where data is being captured?

These details must be divulged to anyone agreeing to your site capturing their data.

Without understanding this, you will not be able to ensure the security of your data. Use your privacy policy to make this clear to site visitors. 

[3] Do you know how long data will be stored for?

Another factor that must be declared (ideally in your privacy policy) in order to meet GDPR stipulations. 

[4] How is the data being used and is it secure?

Understanding your data security is essential if you are to meet GDPR guidelines. You will need to fully understand how the data is being used, where it is stored and how secure the data is. 

For example - data captured with an analytics tool:

  • is data stored on a third-party platform?
  • is this platform secure (and 100% compliant with GDPR)? 
  • is the data encrypted to GDPR standards?

Another consideration is the security of your own website anywhere data is involved. An SSL certification is the minimum website requirement needed to protect stored data.

[5] Have you got full consent to capture and store data?

The above 4 checklist items are all key pieces of information that your site visitors need to be able to find out (this is where the privacy policy comes into action).

The next step is to ensure that permission to capture data is explicitly granted.

Site visitors will need to 'opt-in' to grant this permission. This means that any forms granting consent must be unchecked by default so that the visitor can actively check and confirm. 

There are two key areas where this should be addressed:

  • does your site use Cookies?

If so, you must request that visitors agree to this (most commonly seen on the home page in a pop-up window)

  • does your site use forms for contact and enquiries / subscriptions / applications?

If so, you must request that the data captured from these forms is given with consent. An 'opt-in' option must exist on the form that is mandatory (i.e. the form cannot submit without that option being checked).

[6] Is your "data officer" contactable?

As part of the GDPR people have the right to freely request access to their data. To enable this, you will need to have a plan in place for how a person requests this information.

Having someone acting as your school's "data officer" is a proactive step. Within your privacy policy, make it clear how someone can contact your data officer and ask for their data.

[7] Is the "Right to be Forgotten" process clear?

Likewise, people have the right to 'opt-out' and have all data pertaining to them removed permanently. 

The process for them to do this must be clear to them, and easily actionable from your end. 


Interactive Schools take GDPR seriously, and believe this is a great step forward to protect our privacy and digital footprint. If your would like to find out more about how we can help ensure your school website is compliant - please email