The 10 things you need to know to adapt to the new gdpr data protection regulations

This decalogue is dedicated to the teaching staff and management and administrative staff of the schools and institutes of Barcelona. Its main objective is to clearly present the requirements that the new data protection regulations impose on schools with regard to the processing of students’ personal data, as well as to propose specific measures and examples to help guarantee their protection and compliance. These proposals are based on the empirical study Entorns Segurs (Safe Environments) developed by Eticas, and which has had the support of Barcelona City Council.

1. Create a data protection culture

Proactive responsability

It is necessary for the school to have a Proactive Responsibility attitude towards data protection, this means a conscious, diligent and systematic attitude towards all kind of processing of personal data that is carried out. The school must be able to demonstrate compliance to data subjects and to the Data Protection Authority. In order to achieve it, the following steps must be taken into practice:

Mapping the data

Do a self-assesment exercise (or ask for helpof all student’s personal data that is being collected and processed by the school, with an emphasis on:

  • Origin of data (families, students, other Educational departments, or generated by the school)
  • Management or operations in which the data are used
  • Stakeholders (pupils, parents, teachers, educational community)
  • Tipology (academic, family, image, etc.)

With the study Safe EnvironmentsEticas identified four types of data systems in schools:

  1. MANAGEMENT TECHNOLOGIES, such as data management software or e-mail services managed by school boards and public administration.
    For instance: Clickedu, Esemtia
  2. PHYSICAL TECHNOLOGIES or monitoring systems, which are systems used for security and control purposes, such as biometric identification systems or CCTV (closed-circuit television).
  3. EdTech, that means technologies dedicated to education and pedagogy, e.g. personalised applications or learning management systems.

    For instance: Moodle, Google Apps for Education (Google aula, Google Docs)

  4. PERSONAL DEVICES used by students, such as smartphones, personal computers or tablets.

  5. SOCIAL MEDIA: Twitter, Instagram, Facebook and YouTube for communicating school activity, and messaging applications, particularly WhatsApp. 

Assesses the risk

Make an assessment of the risk that the processing of these data may generate, taking into account the short-, medium- and long-term implications for children.

  • What would happen if this data were leaked?
  • Can the data we have negatively impact the lives of our students in the future?
  • Do we have all contracts in place in relation to data protection?

Take appropriate measures

After assessing the risk, the concrete measures to be implemented should take into account the nature, scope, context and purposes of the processing, as well as the risk to the rights and freedoms of individuals. It must be possible to demonstrate compliance to data subjects and to the Data Protection Authority.

An example of such measures is the limitation or removal of the use of personal information (students’ facial images, names, etc.) of school’s profiles on social media such Instagram, Twitter or Facebook 

2. Data protected by design

Integrate privacy into management systems

The Regulation introduces the concepts of privacy by design and privacy by default. This implies that the controller has to apply, both at the time of determining the means of processing and at the time of the processing itself, appropriate technical and organisational measures designed to effectively implement the data protection principles (e.g. pseudo-anonymisation), and integrate the necessary safeguards in the processing to meet the requirements of the Regulation.

The controller should also implement appropriate technical and organisational measures to ensure that, by default, only personal data necessary for each specific purpose of the processing are processed.

Example: When designing an application for school use, the first thing to do is to assess how it affects students’ privacy and thus to design it with the highest level of protection. In other words, a high level of privacy protection for pupils must be guaranteed from the design stage and by default.


The creation of a secure environment for students’ personal data encompasses both technical and data management aspects.

  • In technical terms, it is important that you ensure that access to school computers and devices is restricted by strong passwords (and updating them), such as by shuting down computers and other devices whenever they are in use.
  • In terms of administrative planning, the Safe Environments project found significant deficiencies in the definition of the retention period of data by schools and in terms of its proper disposal. Although the school is obliged to keep some data, in order to be able to communicate with pupils in the future, personal data should be deleted once they are no longer needed. The Education Department recommends that personal data should be kept as long as it is used for their initial purpose, which means that once their function has been carried out, the data should be deleted.

3. Safeguarding sensitive data

Be particularly rigorous in collecting and processing data that reveal:

Ethnic or racial origin

Opiniones políticas

Religious or philosophical convictions

Genetic data

Trade union affiliation

Sexual life or orientation

Health data

Biometric data

The proportionality of collecting certain data, such as biometric information from students, should be assessed in relation to the risk it poses to their security given its ability to identify individuals. For example, in the case of collecting fingerprints, the functional necessity of these personal identifiers should be analysed and possible alternatives that could achieve the same functionality should be evaluated.

4. Ask yourself “why we collect data?”

The principle of purpose limitation

Data should be collected for specified, explicit and legitimate purposes and should not be further processed in a way incompatible with those purposes. Further processing of personal data for archiving purposes in the public interest, for scientific and historical research purposes or for statistical purposes is not considered incompatible with the initial purposes.

In this regard, the same Organic Law 2/2006, of 3 May, on Education (LOE) states that the information collected by schools in the exercise of their educational function must be strictly necessary for teaching and counselling purposes, and may not be processed for purposes other than education without express consent.

Use / Purpose: It is important to know the purpose of the information processing in order to be able to judge the legitimacy of the processing and the proportionality of the measures taken. The question of purpose should be seen in relation to Article 6 of the GDPR. As a fundamental criterion, the strictly educational use of the data to be collected and used must be taken into account.

5. Collect the minimum and accurate data

Data minimisation principle

The data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. The data to be collected should be carefully reviewed to ensure that only data that are necessary to achieve the intended purpose are collected in accordance with this principle.


The data must be accurate and, if necessary, updated; failure to update personal data may affect the academic management itself or may even lead to improper disclosure of data to third parties.

6. Always ask for consent

In cases where data need to be processed for purposes other than teaching and guidance, such as the publication of photographs on the school’s website, or the provision of data to holiday camps, museums or other establishments visited, the consent of the data subject, or his or her representative in the case of minors, is required. This expression of consent must be:

  • Free: the individual should have the possibility to freely refuse the processing of his or her data.
  • Specific: consent relates to specific processing operations and for a specific, explicit and legitimate purpose of the controller, without the possibility of generic authorisations.
  • Informed: data subjects must be informed so that, in advance of processing, they are aware of the existence and purposes of the processing.
  • Unequivocal: the request and the granting of consent must be clearly stated.


CHILDREN UNDER 14 YEARS OF AGE: Parental or guardian consent is required.

OVER 14 YEARS OLD: They will be able to consent for themselves.

As more and more technological tools are used by schools to collect, process and disseminate data, care must be taken with regard to the privacy conditions offered by each of them. A specific and complete consent form must therefore be provided for each tool used to process children’s data.

7. Appointment of a data protection officer

Public, private and charter schools are obliged to appoint a data protection officer. (DPO). The data protection officer may be a member of staff or act on a contractual basis. The data protection officer of a school may also be the data protection officer of other schools, or different schools may have the same data protection officer for all of them.

He/she has, inter alia, the tasks of informing and advising the school or the operator and the employees, monitoring compliance with the rules or being the school’s interlocutor with the Data Protection Authority. The DPO should be appointed on the basis of his or her professional qualifications and, in particular, knowledge of data protection law and practice. This does not mean that the DPO should have a specific qualification.

  • RECOMMENDATION: Defines and updates the strategy and data responsibility roles within a Plan TAC, in which a TAC Coordinator is appointed.

8. Share responsibilities

Involvement of third parties in data processing

Apart from data collection and processing tasks within the school context, schools may commission third parties or entities to process personal data or to carry out an activity involving the processing of data, such as canteen service or after-school activities.

In this sense, in the Safe Environments project we have found drawbacks for student privacy with the outsourcing / contracting of services. It is very important that school authorities define clear requirements and objectives in contracts they may agree with third parties, such as publishers or other companies/associations that are working for the school. These organisations, which usually act as information processors, should have limited powers to manage students’ personal data and will put in place security measures to ensure the safe use of this data. It is also recommended that the conditions of these services with regard to the administration of personal data (type of data to be processed and specific purposes) be part of the consent forms to be signed by the parents of the pupils.

It is necessary for the controller (the school) to ensure that the processor implements the necessary protection measures.

Data controller

Natural or legal person, public authority, service or other body that alone or with others determines the purposes and means of the processing. In public schools, the Departament d’Ensenyament (Education Department of the Catalan Government) will establish who is responsible for the processing. In public schools, the school itself is the data controller.

Data processor

Natural or legal person, public authority, service or other body processing personal data on behalf of the controller. The controller must choose a processor who provides sufficient guarantees regarding the implementation and maintenance of appropriate technical and organisational measures, in accordance with the GDPR, and who ensures the protection of the rights of the data subjects. Therefore, there is a duty of care when choosing the person in charge, which is managed through a contract.

Consult the guidelines for the drafting of contracts between controllers and processors drawn up by the Spanish Data Protection Agency.

9. Analyse risks before collecting data

Reflective practice exercise

Before collecting and processing data, a reflective practice exercise must be carried out and the risks involved in each treatment must be evaluated to determine whether the implemented measures are correct or new ones must be implemented. Steps to follow: 

  • Identify threats (for instance, non authrorized access to personal data)
  • Assess the likelihood of the risk ocurring
  • Assessing the impact on the people concerned


If a data security breach occurs, the controller must notify the supervisory authority without undue delay and, if possible, within 72 hours at the latest. In case of problems with sensitive data, school authorities should also notify the parents of the pupils.

10. Guarantees students' rights

The school should provide information on the rights pupils have over their personal data and ensure that they can be exercised:

Access Right

The data subject has the right to know whether the controller processes his or her personal data and, if so, has the right to access and obtain such information.

Right of Rectification

The data subject has the right to rectify inaccurate personal data and to have incomplete personal data completed.

Right of Deletion or the Right to be Forgotten

Data subjects have the right to obtain the erasure of data (“right to be forgotten”), when the data are no longer necessary for the purpose for which they were collected; the consent on which the processing was based is revoked; the data subject objects to the processing; the data have been processed unlawfully, among others.

Right to Restriction of Processing

Data subjects can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data. Individuals have the right to restrict the processing if they have a particular reason for wanting the restriction and that doesn’t causes an essential conflict with the provision of the service or activity linked to this data processing.

For further information on citizens’ rights, see the following infographic from the Spanish Data Protection Agency

Further readings

Stay informed

Elaborada por la Agencia Española de Protección de Datos

Elaborades per l’Agència Catalana de Protecció de Dades

Manuales, vídeos y guías especialmente para menores de la Agencia Española de Protección de Datos

Federación de Asociaciones de Madres y Padres de Alumn@s de Catalunya. Novedades sobre protección de datos y cómo afectan a las AFA