Terms and Conditions

Service Specifications

EPS Ltd specialises in data protection and data privacy in the regions of the EU (EEA), UK, Vietnam, Malaysia and Singapore, for the education sector.

The Data Protection Officer (DPO) Service will ….

1. Inform and Advise on Your GDPR Obligations

EPS provides clear, practical guidance to help your school stay compliant:

  • Advisory support for all GDPR queries via dedicated WhatsApp helpline and email

  • Bespoke video training and guidance tailored for school staff and governors

  • Regular updates and practical insights through the Data Protection Lead Network, including termly network meetings

2. Support You in Monitoring Internal GDPR Compliance

EPS helps you stay on track with practical tools and expert guidance:

  • Remote compliance reviews and analysis of your school’s GDPR action plan

  • Targeted advice and recommendations based on your current risk profile

  • Access to a suite of resources, model templates, and compliance checklists

  • Ongoing personalised support through monthly 1:1 GDPR surgeries

3. Assist Your School with DPIAs (Data Protection Impact Assessments)

EPS provides expert guidance to ensure your DPIAs are thorough, compliant, and fit for purpose. This includes advice on:

  • Whether a DPIA is required for a proposed project or activity

  • Choosing an appropriate methodology tailored to your school’s context

  • Identifying and applying safeguards to minimise risks to data subjects

  • Assessing DPIA quality and conclusions to ensure alignment with GDPR requirements

4. Advise on Handling Subject Access Requests (SARs)

EPS supports your school in responding to SARs effectively and lawfully, including:

  • Guidance on managing SARs from pupils, parents, or staff in line with GDPR and UK DPA 2018 and data protection regulations of other nations.

  • Provision of a dedicated SAR email address for publishing on your school website or communication channels

  • Acting as a liaison point with parents, where appropriate, to help clarify requests and reduce miscommunication

5. Advise on the Handling of Data Breaches

EPS provides prompt, expert guidance to help you respond to data breaches with confidence, including:

  • Assessing the severity of an incident and determining appropriate next steps

  • Making an informed judgement on whether the breach meets the threshold for reporting to the Information Commissioner’s Office (ICO)

  • Supporting your internal response to ensure compliance with legal obligations and minimise reputational risk

6. Engage with the Information Commissioner’s Office (ICO) on Your Behalf

EPS acts as your school’s representative in matters involving the ICO, including:

  • Reporting serious personal data breaches when required under UK GDPR

  • Serving as a point of contact for all follow-up communication and inquiries

  • Receiving and responding to official correspondence, including matters raised by data subjects or regulatory investigations

The School Will:

(“School” refers to any maintained nursery, maintained school, academy, multi-academy trust, privately owned school, or international school, as applicable throughout this document.)

  1. Provide the Data Protection Officer (DPO) with all necessary resources to enable the effective and independent performance of their statutory and advisory responsibilities.

  2. Grant the DPO access to relevant records of processing operations, including systems, documentation, and personnel, to support compliance monitoring and risk assessment.

  3. Complete checklists, audits, or other compliance tools as requested by the DPO to assist in monitoring data protection practices and identifying areas for improvement.

  4. Publish the DPO’s contact details, including the dedicated email address, in a way that is easily accessible to data subjects and supervisory authorities (e.g. on the school’s website and privacy notices).

  5. Give due regard to advice provided by the DPO, particularly where it concerns compliance with the UK GDPR, EU GDPR (if applicable), the Data Protection Act 2018, or local data protection legislation.

  6. Where the School decides not to follow the DPO’s advice, or disagrees with a recommendation, this must be clearly documented in writing, particularly within Data Protection Impact Assessments (DPIAs).

    Note: Where such decisions lead to serious breaches or increased risk, additional charges may be incurred (see section: Payment).

  7. Consult the DPO at the earliest stage when conducting a Data Protection Impact Assessment, in accordance with Article 35(2) of the UK GDPR and equivalent international provisions, where relevant.

  8. Ensure the DPO has direct access to senior leadership and decision-makers, including those responsible for IT, safeguarding, data governance, and policy oversight.

Term of Agreement and Payment

  • The annual subscription fee for this service is £500, which is payable in full and in advance, within 28 days of the date of invoice.

  • To maintain a cost-effective model for schools and trusts, this agreement does not include site visits. However, in-person visits may be arranged by mutual agreement and will be charged at the standard consultancy day rate or pro-rata where applicable.

  • This all-inclusive fee is provided on the understanding that the school/trust adheres to the advice provided by the DPO. Should advice be disregarded and this leads to a serious data breach or regulatory failure, any additional support required to manage the situation will be charged at the prevailing consultancy rate.

  • Should the school or trust wish to terminate this agreement before the end of the subscription period, one calendar month’s written notice is required.

Confidentiality

Confidential information refers to any data or information relating to the business of the school that could reasonably be considered to be proprietary to the school, where the release of that confidential information could reasonably be expected to cause harm to the school.

Education Privacy Solutions Ltd will not disclose, divulge or reveal confidential information that it has access to in the course of delivering the Service, except as authorised by the school or as required by law.

We take the protection of your personal data seriously and comply with the UK Data Protection Act 2018.  Our Privacy Notice sets out how we collect and use your personal data, as well as your rights.  For further information, please see our Privacy page.

Indemnity

The school is the data controller and holds the liability for GDPR non-compliance and/or data breach. 

Except to the extent paid in settlement from any applicable insurance policies, and to the extent permitted by applicable law, the school and EPS Ltd agree to hold one another harmless against all claims, losses and costs of any kind arising out of any act or omission on either side in relation to compliance with GDPR and other data protection laws.

Governing Law

This agreement will be governed by, and construed in accordance with, the laws of England.

The laws of data protection will be upheld in accordance with the laws of the nation state in which the school head office is located, as defined by local data protection laws. Local refers to the law of the nation where the school resides.