GDPR Policy

To ensure compliance with the General Data Protection Regulation (GDPR), Challenging Education Ltd understand the terms under which data will be shared, maintained and securely deleted. An agreement is to be constructed outlining the terms and conditions of both parties’ approach to data protection.

This document complies with the requirements set out in the GDPR, which came into effect on 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the implementation of the GDPR.


  • This policy statement, which should be read alongside any SLA or service purchase agreement, between Education Establishments and Challenging Education, outlines the terms under which the two parties agree to share data under the GDPR.
  • This statement ensures both parties have a clear framework to work to, and act in compliance with the needs and requirements of one another and the GDPR.
  • Both parties understand that limited data sharing is necessary in order for Challenging Education Ltd to fulfil its obligations.
  • This statement clearly identifies that both parties ensure they understand their roles in protecting data and in relation to upholding this agreement

Challenging Education will;

  • In accordance with Article 24 of the GDPR, take into account the nature, scope, context and purposes of processing; as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.
  • In collaboration with the school, implement appropriate measures, e.g. up-to-date security software and consistent reviewing procedures, to ensure they are able to demonstrate that processing is performed in accordance with the GDPR. These measures will be reviewed and updated where necessary.
  • Remain directly liable for compliance with all aspects of the GDPR and for demonstrating that compliance. If this isn’t achieved, Challenging Education recognizes they may be liable to pay damages in legal proceedings or be subject to fines or other penalties and corrective measures.
  • Not request, and should not be sent, pupil-level data
  • Ensure that the persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Delete or return all personal data to the School at their request, once the contract reaches its termination.
  • Make available all information necessary to demonstrate compliance with the obligations set out in Article 28 of the GDPR.
  • Immediately inform the School if they believe an instruction they have given breaches the GDPR or any other data protection law.

Processing and record keeping

  • The data that Challenging Education will keep includes: group level performance and attendance data as agreed in the Service Level Agreement or service purchase document.
  • Data will not be kept for longer than its purpose(s),
  • Unrequired data will be deleted as soon as practicable.
  • Paper documents will be shredded and electronic memories scrubbed clean or destroyed, once the data is no longer required, or has fulfilled its purpose(s).
  • Both parties will discuss regularly whether any data can be destroyed.
  • Once the contract ends, the data held by Challenging Education will be securely transferred back to the school.

Data security

The security measures in place to ensure effective protection of physical data include:

  • Data is only shared with Staff or associates of Challenging Education and schools which is Password Protected and Encrypted on Portable Devices
  • No confidential paper records will be kept by Challenging Education. All personal data will be returned to school after the work day.
  • Digital data does not include pupil-level data. It is password-protected, coded or encrypted on local hard drives and on a network drive that is regularly backed up and maintained.
  • Portable devices will not be used to hold personal information.
  • All electronic devices are password-protected to secure the information on the device in case of theft.
  • Challenging Education will update and review security measures in accordance with this GDPR Policy Statement.
  • Under no circumstances does Challenging Education Ltd allow any unauthorised persons to access confidential or personal information.

Data Breaches

  • The Directors of Challenging Education, will take steps to ensure that all staff members are made aware of, and understand, what constitutes a data breach as part of their training.
  • Where a breach is likely to result in a risk to the rights and freedoms of individuals, Challenging Education will inform the school immediately.
  • Any breaches will be fully investigated by the Directors of Challenging Education along with the school and security measures will be assessed and reviewed in relation to the investigation.
  • If it is agreed that a breach is sufficiently serious, the public will be notified without undue delay.
  • Challenging Education Ltd understand that failure to report a breach when required to do so may result in a fine, as well as a fine for the breach itself.