School GDPR Audits and Health Checks

We have years of experience carrying out data protection audits and health checks in schools, both pre and post GDPR.

Our methodologies have been honed by our specialist lawyers to efficiently capture information about how your School handles personal data. This allows us to give you a clear picture of how compliant you are with law.

The aim of the GDPR audit or health check is to determine and assess your organisation’s level of compliance with the requirements of the UK Data Protection Act 2018 and the European General Data Protection Regulation (GDPR). If you carry out electronic marketing then we will also measure your compliance with the Privacy and Electronic Communications Regulations 2003 (or PECR).

        • Carried out by a data protection solicitor, experienced in school audits
        • School specific audit methodology used so the process is completed quickly and efficiently
        • All types of schools including independent schools and MATS
        • Output is protected by solicitor-client confidentiality, so your business information is protected
        • Built to efficiently assess your level of compliance with GDPR, UK Data Protection Act and PECR
        • Includes a detailed, confidential and legally privileged report that describes areas of non-compliance
        • Executive summary ideal for your Governing Body
        • We make recommendations (if necessary) to rectify non-compliance and grade them in terms of urgency
        • Scope of the exercise is agreed with you in advance, so you control the costs

A prerequisite of any successful audit plan is getting to know your School structure and how you operate. This will help us glean a clear and accurate picture of the flows of personal data into and out of your organisation and the purposes for which that data is being processed. High risk areas, such as development, fundraising, BYOD, IT, Safeguarding data etc. will be scrutinised. At the end of the exercise you can be confident of your position relative to the legal requirements and what changes, if any, we recommend.

We have worked closely with the education sector for many years and carried out many data protection audits. This means we are already familiar with the main ways in which a School processes personal data and the “tripwires”. This makes for a more efficient exercise, allowing us to quickly get to the heart of your risk profile.


Which is more appropriate for us, a data protection audit or a data protection health check?


This depends on a range of factors such as your perceived level of current risk, budget and how bespoke the exercise will be.

Our Data Protection Health Check involves a high level but thorough review of critical areas that engage GDPR. The scope, depth and duration (and therefore also the cost) of a health check is less than that of a full audit. However, even though an audit typically costs more, we always agree audit fees in advance, so you remain in control of costs.

A GDPR audit is a more comprehensive review of processing operations in School. Typically, the audit involves between 7 – 12 days work which includes around 2 – 4 days onsite at School interviewing key staff and around 5 – 8 days pre/post audit work off site for the auditor.


If your School is a member of the Independent School Bursars Association (ISBA), please visit here for more information about the ISBA-iLP School Data Protection Health Check. Or if it’s a full audit you need, please get in touch to discuss your requirements and for a quotation.


For more information, including a table that clearly sets out the key differences including costs, please get in touch. We look forward to talking with you.

For more detailed information please contact us. If your query is urgent you can contact us by telephone on 01386 793632 or email