One year on from the implementation of the General Data Protection Regulation (GDPR) and The Information Commissioner's Office (ICO) has begun to step up its scrutiny of data protection policies and procedures at Multi-Academy Trusts (MATs).  

Furthermore, from the recent audit reports published on the ICO's website, it's clear that they're hoping to find very high levels of good practice, required by GDPR under the 'Accountability Principle'.

Novatia: GDPR & cyber-security -aerial table

At the moment, these audits are being deemed 'consensual' or voluntary. In fact, the ICO states, in a number of audit reports for Academy Trusts found on its website, that it is "a constructive process with real benefits for controllers" to help provide an independent assurance of the extent of compliance,

So how prepared is your Academy Trust and its schools?  Is it fully compliant with both the Data Protection Act 2018 (DPA18) as well as GDPR?

Academy Trusts & Schools FREE  Data Audit Guide

The scope of the ICO's consensual audit follows a participative approach and includes a number of phonecalls and onsite visits. The areas the ICO focus on include:

  • Governance & Accountability
  • Data Sharing
  • Training & Awareness

Novatia has worked with over 250 schools and MATs; our data experts recognise just what types of issues and opportunities clients face with the processing of personal data under current legislation.

One thing we cannot stress highly enough is that GDPR and Data Protection is an ongoing requirement.  The ICO will be looking for strong evidence that data, both in digital and paper form, is being collected, handled and used efficiently and in accordance with legislation.  It will expect to see this assertion embedded in both your Trust's governance and operational practices.

Novatia: Tech-led 'Education Revolution' class

It's also worth noting that even if your Trust was able to demonstrate compliance last year, since then have there been any:

  • organisational changes
  • GDPR refresher training 
  • ongoing support & development for Data Protection Officers (DPOs) 
  • new technologies & systems 
  • data breaches
  • changes in third party data processors

Data protection is a continuing process. The ICO recommends a review of data processes is undertaken regularly. Policies and internal procedures need to be constantly revised with staff made fully aware of their responsibilities and obligations. To download the ICO's recent Guide to ICO audits click here

Advice from an external advisor can send a clear message that you are serious about data protection. It can help make certain any entrenched practices are not overlooked and ultimately provide peace of mind that your whole school community is safer with more secure data processes.

If you have been contacted by the ICO, or simply want to make sure you are ready for an audit, please get in touch. We offer a FREE initial 30 minute phone consultation and would be happy to share our expertise.

 Visit:  Email:  Call: 01962 832632


  • Email