Breaking news: ICO Audits 360 schools. But all get “F” for fail.

[ BREAKING NEWS: ]  360 schools have been audited by the Information Commissioner’s Office (ICO). Unfortunately NOT one of the schools were able to secure an “excellent” compliance rating with the General Data Protection Regulation (GDPR). 

Which is worrying, to say the least.

The ICO audit was looking at the principles underlying GDPR.

Namely, governance and accountability, data sharing, training plus awareness, requests for personal data and portability.
These principles are at the heart of Data Protection & GDPR compliance. Failure to provide these translates into a “F” for failure to be GDPR compliant.

The best rating achieved by a school from this set of 360 schools was only ‘reasonable’, while many were at the ‘limited’ score for the GDPR Compliance.

GDPR has been legally enforceable since 2018.

At the outset in May 2018 some schools took some positive steps, in the beginning, to work towards compliance but since the media died down – there has been little progress.

Many of these schools who failed, seem to lack a full understanding of their role and also their Legal obligations to protect sensitive data, those putting themselves and their students at risk…

Data breaches and hacking are unfortunately a reality in today’s world.  Following the correct Data Protection systems and procedures is essential. Some of these schools found with ‘inadequate’ grading have become the subject of small fines.

Better understanding, corporate and school culture and training with staff at the ground level is needed for full accurate GDPR compliance.
to ensure GDPR compliance, putting the policies, procedures & systems in place is not enough.

Training staff who are handling data at the ground level is a necessity, to ensure that everything is implemented properly.

Compliance should be understood as an ongoing process, so regular audits of the processing activities and ensuring staff understand their obligations are crucial.

Around 380 schools in MATs have been inspected.   Unfortunately, no disposal or data processing and storage policies are defined in most of these.


The ICO checks for proof of compliance in the form of policy documents, archival consent data and more. Little is being done to provide it.

The danger of Data breach is real. The risks are huge.
…with fines are landing daily.

So perhaps, it’s time to assess if you and your school are truly prepared?

Feel free to speak to an expert Data Protection Officer.

Why data protection is important for fitness businesses?
Agency Strategies
Agency Strategies for Quality Lead Generation