Home / Services / GDPR / Schools DPO
GDPR

DPO for Schools Education Sector Specialist

Specialist external Data Protection Officer services for primary schools, secondary schools, academies and multi-academy trusts. Over 80 schools supported. GDPR compliance monitoring, SAR and FOI handling, INSET day training, breach support, ICO liaison and annual governor reports.

80+Schools supported by RADCaT
MATsMulti-academy trust specialists
INSETTraining on your schedule
OfstedData governance readiness
Schools DPO

Why Schools Need a Specialist DPO

A workplace risk assessment is a systematic examination of your work activities, premises and processes to identify what could cause harm to people — and whether you're doing enough to prevent it. Under the Management of Health and Safety at Work Regulations 1999 (MHSWR), every employer must carry out a suitable and sufficient assessment of the risks to the health and safety of their employees and anyone else who may be affected by their work activities.

If you have five or more employees, the significant findings of your risk assessment must be recorded in writing. But regardless of your size, risk assessment is the foundation of every health and safety management system — without it, you're managing safety blind.

RADCaT's qualified health and safety consultants carry out thorough, practical workplace risk assessments for businesses of every size and sector across the UK. We don't produce generic templates — we visit your premises, walk your processes, talk to your team and produce site-specific, task-specific assessments that genuinely reflect your operations and give you a clear, prioritised action plan for improvement.

Whether you need a general workplace risk assessment for your office, a task-specific assessment for high-risk activities in a factory, a site-wide review for a multi-building campus, or a pre-project risk assessment for a construction site — RADCaT delivers expert, HSE-compliant assessments tailored to your industry and your operations.

RADCaT has supported over 80 schools with DPO services. We know your MIS, your data flows, your reporting obligations and the specific challenges of managing pupil data. No other compliance provider understands education the way we do.

Schools DPO from RADCaT
Types of Risk Assessment

Schools DPO Services

Everything your school needs for GDPR compliance.

DPO Appointment

Formal Article 37 appointment as your school's DPO. Published contact, ICO notification, independence and reporting to headteacher and governors as required.

School GDPR Audit

Comprehensive audit of your school's data protection practices — MIS security, data sharing agreements, privacy notices, consent, retention, website compliance and staff awareness.

SAR & FOI Handling

Full management of parental SARs, staff SARs and FOI requests. System searches across SIMS/Arbor/CPOMS, exemption assessment, redaction and timely response.

INSET Day Training

GDPR awareness for all school staff delivered on INSET days or twilight sessions. Pupil data handling, photography, social media, breach reporting and individual responsibilities.

Breach Response

Immediate support when breaches occur — misdirected emails, lost USB drives, MIS access issues, parental data disclosed incorrectly. Assessment, ICO notification and remediation.

DPIA for New Systems

Assessment and DPIA support when implementing new MIS, CCTV, biometrics, behaviour monitoring, cloud migration or data sharing with new external agencies.

Governor Reports

Annual compliance report to governors covering GDPR status, activities, incidents, training, risks and recommendations. Board-ready documentation demonstrating governance.

MAT-Wide Services

Single DPO across all trust schools. Consistent policies, centralised SAR handling, trust-wide training, board reporting and cross-school compliance coordination.

Our Process

How We Carry Out a Risk Assessment

1

Appointment

Formal DPO appointment for your school or MAT. ICO notification, published contact details and establishment of reporting arrangements with headteacher and governors.

2

GDPR Audit

Comprehensive audit of your school's current data protection position — systems, policies, practices, staff awareness and documentation.

3

Compliance Programme

Prioritised programme to address audit findings — privacy notices, data sharing agreements, retention schedules, consent mechanisms and procedures.

4

INSET Training

GDPR awareness training for all staff on an INSET day. Practical, school-specific content with real scenarios teachers and support staff will recognise.

5

Ongoing DPO Support

Year-round DPO function — SAR/FOI handling, DPIA advice, breach support, ICO liaison, legislative updates, policy reviews and annual governor report.

Common Questions

Schools DPO FAQ

Does my school legally need a DPO?

Yes. All maintained schools, academies, free schools and MATs are public authorities under UK GDPR and must appoint a DPO under Article 37. The DPO can be internal or external. RADCaT provides cost-effective external DPO services specifically for the education sector.

How much does a school DPO cost?

Annual retainer based on school size, phase and complexity. Typically a small fraction of what an internal DPO appointment would cost. MAT packages offer per-school rates that reduce with scale. All services included — no hourly extras.

Can one DPO cover a whole MAT?

Yes. A single DPO can serve all schools within a MAT, provided they are accessible to each school. RADCaT provides trust-wide DPO services with consistent standards, centralised processes and board-level reporting.

What about CPOMS and safeguarding data?

CPOMS contains some of the most sensitive data in any school. We ensure your CPOMS access controls, data sharing settings and retention practices are GDPR-compliant. We handle SARs involving CPOMS data with appropriate safeguarding exemptions applied.

Do you deliver INSET training?

Yes. We regularly deliver GDPR awareness training on INSET days — typically 1-1.5 hours covering practical data handling scenarios that teachers and support staff encounter daily. No supply cover needed.

How do you handle parental SARs?

Parental SARs require careful handling — balancing the parent's right of access with the child's privacy rights (particularly older pupils), safeguarding exemptions, third-party data and legal privilege. We manage the entire process professionally and within timescales.

What governor reporting do you provide?

A comprehensive annual compliance report covering GDPR status, DPO activities, audits conducted, SARs/FOIs handled, breaches (if any), training delivered, risks identified and recommendations for the year ahead. Board-ready documentation.

Need a School DPO?

Get in touch for a free discussion. We'll explain our service and provide a tailored quote for your school or MAT.