GDPR - easy steps to help get you into gear

Mike and Liz
15 May, 2018 : 14:52
18     1

Your PTA & GDPR: easy steps to take today!

See our latest GDPR guidance for PTAs in full here.

You cannot have escaped news about the General Data Protection Regulations (better known as GDPR) which will come into force on 25 May 2018.

It might seem daunting but, at its heart, GDPR is pretty simple. It's about making sure organisations only keep information about people if they've got sound reasons to, don't hang onto it for too long and keep it safe while they have it.

As a PTA committee member, GDPR will affect you. As a small charity (independent of the school), you are a ‘data controller’ that makes your own decisions about what you send to parents, and how you keep their information.  

And it doesn't matter whether you put together the summer fair rota from a database or a dog-eared address list, you're still handling personal data. But don't panic - with a bit of common sense and respect for privacy, getting GDPR-ready shouldn't be a huge challenge. It's also a great opportunity to engage with the school community about what your PTA does.

So, if you haven’t already taken action or aren’t sure if everything’s been covered, start by answering these questions and then look at our top tips on what steps you can take right away:

Question 1 - Are you and your fellow PTA committee members clued up or clueless about GDPR?

For a bit of fun to get you started, why not take the Parentkind GDPR quiz, read and share this blog and also access our comprehensive GDPR guidance for Parentkind members.

To keep in the loop make sure your PTA chair, treasurer, secretary and other committee members sign up to receive Parentkind bulletins.

Question 2 - Do you have a good reason for collecting, using and keeping people's data?

The GDPR sets out a range of bases upon which personal data may be handled legally - some of which are relevant to PTAs. Having the consent of the person the information relates to is a pretty major one.

Or it may be that, without handling data, you can't do what's expected of you by the people the data belongs to, in which case you have what is known as a "legitimate interest".

What does that mean in a PTA context? Well, you may have a "legitimate interest" in using parent data to make sure they can be involved in your PTA, however, be careful not to send them anything classed as ‘marketing’ without consent. Take a look at our detailed guidance for more on this.

Question 3 - Have you explained what personal data you're collecting and are you only collecting what you really need?

When you collect data, you'll need to make sure you tell people what information you're gathering and what for. Don't collect more than you need – you cannot hold on to it ‘just in case’!

And GDPR is also hot on organisations getting rid of data once its purpose has been served - so do shred that sheet of Guess the Teddy's Name entrants as soon as the winner is chosen. If you expect to need this information longer term, make sure this is clear to parents when you ask for it. 

Question 4 - Are you keeping people's information secure?

No one wants their personal data to end up in the wrong hands and GDPR includes some potentially hefty penalties for data leaks. But once again, a lot of what you need to do is common sense. Keep data secure behind passwords, or under lock and key. Don't copy personal information if you can avoid it.

And don't neglect the other side of data security - keeping on top of who can access data and for what reasons. Just being on the PTA committee is not a good enough reason alone. Work out some policies around who has access to what and why, perhaps including someone on your committee to be responsible for data protection alongside your secretary or chairperson.

Now you've considered questions one, two, three and four...

Do this right away

  • Make sure you and other PTA members are signed up for updates and guidance from Parentkind.
  • Seek out an expert in your school community. GDPR will affect lots of people in their day jobs, so there's bound to be a parent with experience to share. 
  • Be committee ready!  Make sure your committee have read the Parentkind guidance and nominate a data protection lead.
  • Audit your information with our easy to use Data Audit Template. Think about the what, where and why of the personal data you already hold and make sure it’s accurate and up to date.
  • Agree and document how long you're going to hold data for. Use our Data Retention Template to keep a record of what you've decided.
  • Agree policies on who needs access to what data, and make a note of them.  
  • Work out what data you don't need any more, or don't have the right to hang onto, and destroy it.  Still got the signup sheets for the Christmas Fair? Old raffle books with mobile numbers on? Get rid of them NOW!
  • Consider moving electronic data storage to a secure online file store or database which committee members can log into, rather than emailing copies of documents. 
  • Work with your school but be aware that there are different rules for schools as they are a 'public body'.

Stop doing this

  • Adding to a never ending list of parents' contact details without regularly tidying this up after events.
  • Creating multiple copies of personal data by emailing, printing or copying it to different places.
  • Allowing people access to the data without good reason.
  • Storing personal data insecurely, e.g. in unlocked cupboards, or on USB sticks or computers without password protection.

Where to find more advice

The Infomation Commissioners Office website has a a huge amount of advice on GDPR, including:

Tasneem Hussain
14 May 2018
Re: GDPR - do you have a standard template we can use to send to parents re re GDPR / tick box for consent etc.
Hayley Francis
15 May 2018
Hi Tasneem, thank you for commenting on our blog. In answer to your question, PTAs can work in lots of different ways so we are unable to produce a generic one size fits all privacy statement. We recommend you visit The ICO's website as it haslots of helpful advice about privacy statements, including a checklist for creating one. Best wishes, the team at Parentkind.
Emilie Askew
15 May 2018
Re: GDPR, do you have a standard template for a privacy statement we can use?
Hayley Francis
15 May 2018
Hi Emilie, thank you for commenting on our blog. We know that PTAs can work in lots of different ways and are all unique so we are unable to produce a generic one size fits all privacy statement. We recommend you visit The ICO's website as it has helpful advice about privacy statements, including a checklist for creating one. Best wishes, the team at Parentkind.
Emilie Askew
15 May 2018
Regarding Facebook pages and GDPR do we have to publish a message to parents to opt in our page? Or a privacy statement is enough.
Hayley Francis
15 May 2018
Hi Emilie, If you are clear on the Facebook page, about what you will communicate to people about when they’ve joined the group, we feel you can take their act of joining the group as consent. Data protection rules do not usually apply to people choosing to post information on social media about themselves or their children, although you should be very careful about reusing any personal information posted on your PTA forums by others without consent. More guidance can be found here: Best wishes, the team at Parentkind.
Emilie Askew
18 May 2018
GDPR, do we have to register with the ICO as a pta?
Hayley Francis
18 May 2018
Hi Emilie, thanks for your comment - we'll look into this and come back to you.
Christine Calver
23 May 2018
We run a monthly draw with 150 parents. We hold their name, address and telephone number to enable us to send winnings. We do not hold email addresses so do we need to write to each person?
Hayley Francis
31 May 2018
Hi Christine, thanks for your comment. You would still need to contact them as you hold their personal data. Hope this helps. Best wishes, the team at Parentkind
03 October 2018
We do not keep parents contact details ourselves and send all communications via the school. Despite the fact that 'Undertaking fundraising for the school through sending out PTA communications' is specifically listed under the 'what we process your personal data for' section of the school's Privacy Notice, the school are now refusing to email out notices about the events we arrange like: school discos, magic shows, school fair. They won't even email out our AGM notice, which I would argue is operational, not marketing. They will put flyers in book bags, but not email. Do you have any specific guidance on this? I can't imagine we are the only PTA with this issue. Thanks.
Hayley Francis
15 November 2018
Hello, it's a school decision if they are prepared to send communications out on behalf of the PTA. If they are not willing to do so you can organise your own communication channels, either obtain contact details yourself or use a social media channel such as Facebook Group or a communication tool (like an app). You can continue to send paper flyers home in book bags. Do take a look at our detailed GDPR guidance here: We also have a PTA reply slip to help you obtain consent here: Best wishes, the team at Parentkind.
18 October 2018
Hi our PTA runs a very large school of 600+ pupils. We as a PTA usually use lists of classes provided by the school to send out raffle tickets for events etc. How is this affected by GDPR ? Can we still obtain these lists if the parent has ticked a box to say they are happy for the school to share their child's name with the PTA? We do not store any parent emails or contact details as all correspondence is sent via the school rather than us directly. Thanks in advance.
Hayley Francis
15 November 2018
Hello, if a parent has given consent for their information to be shared with the PTA you are able to use this, however if you have not received consent from all parents you would only be allowed to have the names of those with consent. You can send information home in book bags addressed to Parent/Carer with no personal information, and Raffle Tickets should be placed in a sealed envelope. Best wishes, the team at Parentkind
09 November 2018
You were going to look into whether PTAs are required to register with the ICO? What was the outcome of this? Specifically, What would the position regarding ICO registration be if the PTA is a charity with net profit at end of the year (but the sole purpose of which would be distribution to the school at a later date)
Hayley Francis
15 November 2018
Hi there, thanks for following this up. Circumstances are different from each organisation to the next, however it is likely that they PTAs (and other parent groups) will be required to register. Please check directly with the ICO if you are in any doubt, see contact details at (email, phone or live chat available): Best wishes, the team at Parentkind
16 April 2019
Can you just further clarify the ICO and charity registration with them. We have just set up a new Friends' Association which is a registered charity. It does make a profit but of course all that money goes to meet our charitable aims and gets handed to the school eventually. I phoned the ICO today and they said that if our constitution had a 'not for profit' exemption written into it then we would have to register with the ICO. As we have adopted the Parentkind model constitution without change - are we covered?
16 April 2019
Sorry - we wouldn't have to register!
Please login to your account or register to leave a comment.
Mike and Liz
Mike and Liz are Parentkind's resident experts on GDPR. Mike is responsible for wrestling daily with getting Parentkind GDPR compliant, while Liz is a freelance GDPR consultant, advising Parentkind and many other organisations on what the law means and what needs to be done.

Parentkind uses cookies to improve website functionality and analyse site usage. Click here for details of how to change your settings. By continuing to use this website you agree that we can save them on your device.