GDPR has been UK law since May 2018, but many school websites still don’t fully meet the requirements. The good news is that getting compliant isn’t as daunting as it sounds — it mostly comes down to a handful of specific areas. Here’s what school business managers and headteachers need to know.
Your Privacy Notice
Every school website must have a clear, accessible privacy notice. This is a legal requirement under UK GDPR and must explain what personal data you collect, why you collect it, how long you keep it, and who it’s shared with. This applies to data collected through your website — contact forms, newsletter sign-ups, event enquiries — as well as data about parents, pupils, and staff.
Your privacy notice needs to be easy to find. Burying it in a footer link that nobody clicks isn’t enough. Ideally it should also be written in plain English, not dense legal language, so parents can actually understand it.
Cookie Consent
If your website uses non-essential cookies — and most do, through tools like Google Analytics, YouTube embeds, or Facebook plugins — you need to obtain user consent before those cookies are dropped. A banner that just says “We use cookies” with an OK button isn’t sufficient under UK GDPR. Users must be able to actively opt in, and it must be just as easy to decline as it is to accept.
Review your cookie banner to make sure it’s giving users a genuine choice, and that non-essential cookies aren’t loading until they say yes.
Contact Forms and Online Enquiries
Contact forms are one of the most common ways schools collect personal data. You need to be transparent about what you’ll do with the information people submit — and you shouldn’t collect more than you actually need.
A short privacy statement near each contact form, linking to your full privacy notice, is both a legal safeguard and good practice for building parent trust. If you’re using a third-party form tool, check that it stores data securely and that there’s a data processing agreement in place with the provider.
Photography and Pupil Images
If your website features photos of pupils, you need valid consent for those images to be published online. Consent for the school newsletter or internal communications is separate from consent for public website use — they’re different purposes under GDPR.
It’s worth reviewing your photography consent forms to check they specifically cover website publication. If they don’t, or if they’re out of date, it’s a straightforward fix — but one that’s easy to overlook until an inspection or a parent complaint brings it to your attention.
Third-Party Tools and Integrations
Many school websites use third-party tools that collect or process personal data: Google Analytics, YouTube, embedded maps, social media feeds. Under UK GDPR, your school remains the data controller and is responsible for how those tools handle data.
Make sure any third-party tools are listed in your privacy notice, and that you have data processing agreements in place with each provider. Google, for example, provides a standard data processing amendment for Analytics users — but you need to actively accept it, it’s not automatic.
Making It Manageable
None of this needs to be complicated. A simple annual review — checking your privacy notice is up to date, your cookie consent is working correctly, and your photography consents cover website use — will keep you on the right side of the law without it becoming a burden.
If you’re not sure whether your school website is GDPR-ready, Brothers Creative can help. We build websites for primary schools, secondary schools, and academy trusts with data protection and compliance in mind from the outset. Get in touch to find out more.
You may also be interested in...
