Merton Schools DPO Leading the way in Data Protection

An inspiring example of how schools and their LA can work together to achieve compliance with the new Data Protection laws in the UK


The GDPR and the DPA 2018 require organisations to carry out detailed investigations of the personal data they process and keep evidence of the outcomes. Schools process large quantities of personal data, much of which is extremely sensitive. Data protection must permeate every part of the school from the leadership team through to the kitchen staff who serve food to children with health problems and allergies.


Derek Crabtree is the Schools’ ICT Support Manager and DPO for schools at the London Borough of Merton. He has a wealth of experience in leading new initiatives and has successfully  introduced systems to manage safeguarding together with implementing safe network solutions and removed cash in his schools by introducing online payments.

Looking back at the lead up to 25th May 2018, Derek recalls “We identified early on that there was a great deal of misinformation out there. Schools were being approached by various consultants and companies eager to benefit from the uncertainty at the time. The ICO tried their best to bust the myths but schools were very uneasy about what they should do. It irritated me that companies and individuals would use scare tactics to try and gain access to public money.”

It was this irritation that sparked Derek into action; he knew that he had to find a cost-effective way to support his schools.


The Challenges

Talking about the challenges that schools in Merton would face, Derek admits “We have always been strong on data governance and have worked with our corporate audit colleagues to ensure that our schools were compliant with the previous legislation. Our approach started with some initial guidance around the GDPR that we intended would steady the ship.”

It quickly became clear to Derek’s team, that ‘just guidance’ was not enough, the new and extended requirements brought greater challenges to schools. The new 2018 data protection laws require them to:

  • Appoint a Data Protection Officer (DPO)
    The DPO should be an independent person with expert knowledge of data protection law and practices.
  • Build a data ecosystem
    Record and evidence what personal data they process and map data flows.
  • Maintain detailed records of breaches
    Evidence their investigations and actions within tighter timescales.
  • Carry out focused Data Protection Impact Assessments (DPIAs)
    Particularly for new projects which process personal data and all existing high-risk processes.
  • Review policies, procedures & agreements
    Update their Privacy Policy, implement a clear Data Retention Policy and review Data Sharing Agreements.
  • Deliver and evidence staff training

With no additional funding available to tackle the new challenges, schools were rightly concerned. Derek held consultations with Headteachers across the Borough and it was decided the best way forward was to provide a cost-effective Service Level Agreement (SLA) to help schools meet the new requirements.

The Merton Approach

After testing the market, it became apparent that there would be a strong take up of the SLA amongst schools.

They knew that if it were to be successful they would need a software solution that would allow them to raise awareness, help with training, record and document their compliance as well as track progress.

They also felt it was important that the ideal solution would be paperless and cloud-based. Derek’s team approached the LGfL, their regional broadband provider, who built a mini-framework of products and providers of services that met their criteria.

The team at Merton chose GDPRiS because in Derek’s words “it was the best fit for our schools.” Derek remarked “Once the schools signed up implementation was really quick and easy. The GDPRiS staff were very accommodating and knowledgeable and with their help, we quickly onboarded all of our schools and delivered training.”


More than 12 months into the project, Derek and his team have realised the many benefits of using GDPRiS to monitor and manage data protection across all their schools.

With regards to the success of the project, Derek said “In terms of outcomes, we wanted schools to feel confident that they were doing the right thing and that compliance with a complex set of regulations would not distract them from their core purpose – the business of education. I believe we have achieved this, schools now have a really good idea of what it takes to comply with the new regulations.”

Derek and his team have access to a central dashboard providing Key Performance Indicators (KPIs) across their schools. Highlighting the key areas of GDPRiS that help him as the DPO across a group of schools Derek commented “We can view data maps and data asset registers for each school and the comprehensive reporting allows us to check levels of engagement. Any member of staff, at any of our schools, can report a breach triggering an immediate notification that is sent to myself and my team allowing us to react quickly in-line with ICO requirements.

Derek added; “The audit functionality is very useful, we can carry out a Training Needs Analysis (TNA) to spot gaps in staff knowledge and provide properly targeted training and guidance. In addition, we have a record of what training staff have received and when.”

The project has also enabled Merton to further reduce its carbon footprint with fewer school visits needed and has provided a paperless solution to disseminate information to their schools. Derek also said, “GDPRiS is a living growing product and our requests for reports and additional features are always enthusiastically received. It feels as if we are growing stronger together as the product continues to evolve in-line with DfE and ICO requirements.”

When asked if he had any advice for other LAs, or other education organisations, looking to embark on a similar project, Derek advises “Don’t be afraid to have difficult conversations with your schools. They are all worried about compliance, choosing the right supplier to help you manage this can help to ease the burden.”

As a final piece of advice to others, Derek added “Compliance with Data Protection laws is not something that you can treat as a one-off, keeping people’s data safe is a process and involves a particular mindset – you cannot afford to take your eye off the ball. GDPRiS has really helped to foster this mindset in our schools and has given us a central tool that helps us to monitor each schools journey towards compliance.”

In recognition of his efforts to support schools in Merton, Derek has been nominated for various awards including the ICO award for Data Protection Officer of the Year and the Public Sector Paperless Award for Data and Information Security Project of the Year.

To find out how GDPR In Schools can support your school(s) call 020 3961 0110