Kyanite Blue
Tools & Calculators

School GDPR Audit Template: Review Your Data Protection Compliance

UK GDPR compliance for schools is not a one-time exercise — it requires ongoing review as the school's data processing activities evolve. New EdTech tools are adopted, staff change, pupils move through the school, and the ICO's enforcement guidance develops. This audit template helps schools and their DPOs conduct a structured annual GDPR compliance review, identifying gaps and building the evidence trail that the ICO would expect to see in any investigation.

ICO investigations of UK schools most commonly arise from ransomware attacks, unlawful data sharing, missing DPAs with EdTech vendors, and failure to report breaches within 72 hours.

Section 1: Governance and DPO

The foundation of school GDPR compliance is the correct governance structure.

  • [ ] DPO appointed — named individual with appropriate expertise and independence. Evidence: DPO appointment document; DPO contact published on school website.
  • [ ] DPO registered with ICO — school registered as data controller; DPO details notified to ICO. Evidence: ICO registration certificate.
  • [ ] Privacy notice published — school privacy notice on website covering pupil, staff, and parent data. Evidence: URL of published privacy notice; date of last review.
  • [ ] Data protection training — all staff (including new starters) have received data protection training. Evidence: training records with completion dates.

Section 2: Record of Processing Activities (ROPA)

The ROPA is the backbone of GDPR compliance — it must document all personal data processing.

  • [ ] ROPA exists and is current — all processing activities documented including new EdTech tools. Evidence: ROPA document with review date.
  • [ ] Legal bases documented — each processing activity has a recorded legal basis. Evidence: ROPA with legal basis column completed.
  • [ ] Retention schedules — retention periods documented for all data categories. Evidence: retention schedule; evidence of deletion process for expired data.
  • [ ] Special category data identified — health, SEN, safeguarding, and biometric data specifically documented with enhanced protections noted.

Section 3: EdTech Vendors and DPAs

Every EdTech vendor processing pupil data must have a signed DPA.

  • [ ] Vendor register — complete list of all EdTech and other vendors processing school personal data. Evidence: vendor register.
  • [ ] DPAs in place — signed DPA with every vendor processing pupil or staff personal data. Evidence: DPA log with dates; copies of signed DPAs.
  • [ ] International transfers documented — vendors storing data outside UK/EEA have adequate transfer mechanisms. Evidence: ROPA notation; transfer mechanism documentation.
  • [ ] Vendor security assessed — evidence of security due diligence for significant vendors. Evidence: security questionnaires; vendor certification records.

Section 4: Breach Readiness

Schools must be ready to detect, report, and respond to personal data breaches within 72 hours.

  • [ ] Breach procedure documented — staff know how to report a suspected breach. Evidence: breach procedure document; staff briefing records.
  • [ ] ICO notification process — DPO knows how to make an ICO notification and has ICO account access. Evidence: ICO account details; breach procedure including ICO portal reference.
  • [ ] Breach register maintained — log of all data breaches and near-misses, including those not requiring ICO notification. Evidence: breach register.
  • [ ] Previous notifications reviewed — any past ICO notifications and outcomes reviewed to ensure recurrence is prevented.

Frequently Asked Questions

How often should schools conduct a GDPR audit?

Annually as a minimum, with interim reviews when significant changes occur — new EdTech tools, network changes, staff data processing changes, or following a security incident or near-miss. The annual audit should be conducted by the DPO (or with the DPO's involvement) and the results should be reported to the governing body. Schools that have previously identified gaps should review progress on remediation at each interim check.

Who should conduct the school GDPR audit?

The DPO should lead or be closely involved in the annual GDPR audit. For schools with an external DPO service, this is typically included in the service scope. The IT lead, business manager, or headteacher should participate in sections covering EdTech vendors, breach procedures, and data security. The audit outcome should be reported to the governing body.

What happens if we find gaps during the audit?

Gaps found during an internal audit are an opportunity to remediate before the ICO does — treat them positively. Document each gap, assign a responsible person and a deadline for remediation, and track progress. If a significant gap is found — such as a large volume of data sharing without DPAs — prioritise remediation and document the steps taken. An audit that finds and fixes gaps demonstrates a functioning compliance programme, even if it was previously imperfect.

Get a GDPR audit for your school from Kyanite Blue

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

BlackFog

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides