Data Protection Under the Microscope: Internal Scrutiny Preparation

Have you appointed a new Data Protection Officer (DPO) recently? Or are you mindful that your school’s data estate needs a bit of attention? Helen Burge offers some advice on how to put your practices under the microscope

There’s a great quote by John Perry Barlow – “Relying on the government to protect your privacy is like asking a Peeping Tom to install your window blinds”. Are stakeholders relying on your school to protect their privacy and is your school taking that role seriously, or are your policies and practices, and your culture allowing peeping Toms?

A Data Protection internal scrutiny might be just the event you need, to give you and your Trustees assurance, and to identify gaps, mitigate risks and strengthen the school’s digital resilience. The audit can act as a positive trigger to kick your data estate into shape, and it shouldn’t be feared but welcomed.

Whether you’re gearing up for a scheduled audit or embedding continuous improvement, here’s how to prepare with confidence and clarity, and even if you can’t fine tune everything as you would like it to be before the audit, you can ensure you know where the documents are which are likely to be reviewed as part of the audit.

Step 1. Clarify the scope and objectives

Start by defining with the scrutineer what the audit will cover – pupil records, staff data, or third-party systems, governance, policies, and operational practices, then set clear objectives, this could include:

• Assess compliance with statutory requirements
• Evaluate the effectiveness of current controls
• Identify areas for improvement or training
• Provide assurance to governors and trustees
• Checking any previous audit recommendations have been implemented

A well-scoped audit ensures findings are actionable.

Step 2. Take a sneaky look in the microscope

Before auditors arrive, revisit your core documentation:

• Data Protection Policy: Is it up to date and tailored to your school’s context?
• Privacy Notices: Are they accessible, age-appropriate, and reflective of current processing activities? Include Pupils, Parents/Carers, Employees, Candidates, lettings, trustees, volunteers and visitors?
• Information Asset Register: Record assets, systems and applications used for processing or storing personal data across the school. Will help you track that there is a DPIA in place.
• Records of Processing Activities (ROPA): Do they accurately map out what data you collect, why, and how it’s handled?
• Data Protection Impact Assessments (DPIAs): Are they completed for high-risk processing, such as biometric data or surveillance systems?
• Third Party data processing agreements: Do these align with your privacy notices and policies; do you have one in place for all those third parties processing data on the school’s behalf?
• Retention schedules: How are they shared with staff? How do you know they’re being followed?
• Data breach log: Have all data breaches got an outcome recorded?
• Training records: For all staff as well as the specialists within your school.

Ensure these documents are version-controlled, reviewed regularly, and easily retrievable.

Step 3. Check accountability structures

Auditors will look for evidence that data protection is embedded in leadership and decision-making:

• Is there a named DPO with appropriate expertise and job description?
• Is the school registered with the Information Commissioner’s Office (ICO)?
• Is data protection on the risk register?
• Are governors and trustees receiving regular updates on data protection risks and incidents?
• Is there a clear escalation process for breaches or concerns?

Consider creating a simple governance map or dashboard to show how responsibilities are distributed and monitored.

Step 4. Test operational controls

Policies are only as strong as their implementation. Review how data protection is practiced on the ground:

• Are all staff trained and confident in handling personal data?
• How do you record the staff training for General Data Protection Regulations (GDPR) and cyber security and how do you mop up for ill staff, those on maternity leave or new starters?
• Are secure systems in place for storing and transmitting sensitive information?
• Are retention schedules followed, and is data disposed of securely?

Spot checks, walkthroughs, and conversations with staff can help validate your procedures. Offer a safe place for old memory sticks to be collected, no questions asked!

Step 5. Assess Third-Party risks

Review your register of third-party processors, do you have:

• Contracts which include data protection clauses
• Due diligence evidence before onboarding new suppliers
• Data sharing agreements in place for all organisations you share data with, are these referenced correctly in the relevant privacy notices?

Step 6. Review Data Breach incident logs

Even with strong controls and everyone trying their best, breaches can happen. Be ready to demonstrate:

• A clear incident response plan
• A log of past breaches and lessons learned
• Communication protocols with the ICO and affected individuals

This shows maturity in risk management and a commitment to transparency.

After the dust has settled – turning Scrutiny into Strategy

An internal audit shouldn’t be a one-off event, but another tool to help shape your data estate. Use the findings to:

• Update your risk register and action plans
• Inform staff training and CPD priorities
• Refine governance reporting to include data protection metrics
• Benchmark progress year-on-year

By treating scrutiny as a strategic lever, school business leaders can drive continuous improvement and build a culture where data protection is everyone’s responsibility.