5 steps to prepare for GDPR (not only in schools)

Map the current situation, check the current contracts, set up internal processes, secure a delegate and prepare the necessary information for the website. These are the five basic steps that, according to the Ministry of Education, lead to easy preparation not only of schools for the entry into force of the General Data Protection Regulation.


The Ministry of Education, Youth and Sports of the Czech Republic has prepared a document outlining the workflow that schools should follow if they want to be prepared for the GDPR coming into force. It outlines the obligations that come with the new regulation and aims to help schools navigate these obligations.

The guide also includes a series of sample templates, flowcharts and other documents, which will be required for school settings from May.

Because the steps proposed by the ministry may provide guidance for other institutions, we have written a brief overview of them.

1. Map the current situation
Take a look at how personal data is currently handled in your company. Analyse the activities in which you process this data and prepare so-called "record cards" of the processing activities (these are further defined in Article 30 of the Regulation).

2. Check contracts
Check any current contracts in force with information system providers, smartcard entry providers and other processors of personal data. Also check sales contracts, work contracts and other contracts containing personal data. These contracts have precise mandatory elements.

3. Set up internal processes
Internal processes for handling personal data will need to be reconfigured or set up completely anew. You will need to revise your personal data handling guidelines or adopt new ones.

4. Secure a data fiduciary
Every major institution will need to have a Data Protection Officer (DPO) from May. We wrote in February about how to choose a DPO and what to look out for when drafting a subsequent contract with one.

5. Inform
Be sure to inform about how you process personal data on your website. Prepare all the necessary documents and process them in as clear a way as possible.

You can find the document Brief guidance on securing GDPR-related processes on the website of the Ministry of Education and Science of the Czech Republic.If you encounter a specific situation while reading it that you do not know how to deal with, do not hesitate to contact us. We will be happy to help you prepare for the GDPR coming into force.