The future of work is not a distant concept. It is already here, and it is forcing us to confront a fundamental tension. Work gives people purpose. It provides identity, meaning and a sense of contribution. At the same time, the economic reality for organisations is clear. We are under constant pressure to drive efficiency, scale and productivity, increasingly through technology.

In January, I attended the Future of Work event hosted by Arbor. What stood out was not just the pace of change, but the clarity of direction. Workflow automation sat at the centre of the conversation. Not as an abstract idea, but as something organisations are actively building into their day to day operations.

AI is accelerating this shift at an extraordinary rate. The advances we are seeing are not linear. They are compounding. New capabilities are emerging continuously, unlocking new forms of value creation that were not possible even a short time ago.

This creates both opportunity and responsibility.

We are moving from static processes to what many are now calling agentic workflows. Teams are no longer just documenting how work gets done. They are designing and building systems where workflows are automated, connected and increasingly executed by AI agents. These agents can act, make decisions and coordinate across systems.

We are seeing teams invest time in mapping processes, integrating systems through connectors and experimenting with emerging protocols such as MCPs. The intent is clear. Build workflows that are not only efficient, but adaptive.

The implication is significant. Smaller, more focused teams, supported by AI agents, will be able to deliver outcomes that previously required far larger structures. This is not about doing the same work faster. It is about redefining how work is done altogether.

However, technology is only part of the story. The real shift sits in the operating model.

The models many organisations rely on today were designed for a different era. They prioritise stability, hierarchy and control. In a world of AI enabled workflows, that approach begins to break down. We need operating models that are more fluid, more modular and more responsive. Teams will need to form around problems, not sit within rigid structures. Capabilities will need to be assembled, not owned.

At the same time, complexity increases.

As organisations adopt more tools, more agents and more integrations, the surface area expands. Managing that ecosystem becomes a critical challenge. Security, data integrity and supply chain dependencies extend well beyond traditional boundaries. Governance can no longer be an afterthought.

This demands a different level of maturity. Organisations must be able to secure and safeguard their systems, understand how data flows across them and maintain clear accountability. Leadership teams need to be across this. AI is not just a technology topic. It is a core part of organisational strategy and risk management.

Alongside this sits the question of ethics.

As AI systems take on more responsibility, leaders must understand the implications. Issues such as bias, transparency, privacy and accountability are no longer theoretical. They are practical concerns that shape trust. The organisations that succeed will be those that take this seriously and embed it into how they operate.

Amid all of this, we cannot lose sight of purpose.

If technology continues to take on more of the execution, then human contribution must shift. Work becomes less about tasks and more about judgement, creativity, relationships and responsibility. This is where people find meaning. Organisations need to be deliberate about how they design roles and environments that support this.

There is also a broader responsibility, particularly in education.

How do we prepare children and young people for this world? The answer is not simply to teach them how to use tools. It is to help them understand systems, think critically and adapt continuously. They will need to work alongside AI, understand its limitations and navigate its risks.

Skills such as resilience, curiosity and ethical awareness will matter as much as technical capability.

So how do we respond now?

We start by being practical. Identify where workflow automation can create value today. Experiment with agentic approaches in a controlled way. Invest in understanding governance, risk and security. Begin to reshape teams around outcomes rather than functions.

At the same time, we need to think more fundamentally. What does good work look like in our organisations? How do we balance efficiency with meaning? What responsibilities do we carry as leaders?

The future of work is being shaped in real time. The choices we make now will define not only how our organisations perform, but how people experience work itself.

This is not about replacing people. It is about rethinking their role. If we get it right, we can create organisations that are more productive, more adaptive and more human at the same time.

That is the opportunity in front of us.

There is something quietly powerful about a room full of education leaders admitting they do not have all the answers.

That, for me, was the thread that ran through this conversation. Not certainty, but responsibility. Not competition, but contribution. And, crucially, not isolation, but connection.

System leadership as a moral responsibility

One of the most striking reflections was the idea of system generosity. Large multi-academy trusts, by virtue of their scale, experience a microcosm of the entire sector. With that comes both privilege and duty.

The privilege is insight.
The duty is to share it.

This is not about showcasing only what works. In fact, the most powerful contribution to system leadership is often the opposite. Sharing what has gone wrong, what has been learned, and what still feels unresolved. In a system as complex as education in England, honesty is more valuable than polish.

There is also a growing recognition that trusts are becoming bridges. Bridges between schools and government. Between policy and practice. Between local realities and national direction. That bridging role is not always comfortable, but it is increasingly essential.

Collaboration is happening. We just need to deepen it

There was a quiet optimism in the discussion. Collaboration is not absent from our system. In many ways, it is stronger than we give ourselves credit for.

Trusts are sharing. Leaders are learning from one another. Networks are forming.

But there is a difference between collaboration within familiar circles and true system collaboration.

The challenge now is boundary spanning. Reaching beyond our own trust, our own region, our own phase or role. Engaging with local authorities, independent schools, further education, industry, and government in more meaningful ways.

If we are honest, education can still be inward looking. The next phase of system leadership requires us to look outwards with intent.

MATs as engines of disciplined innovation

Multi-academy trusts are increasingly acting as engines of disciplined improvement. Not innovation for its own sake, but innovation that is tested, evidenced, and scaled.

There was a helpful reframing here. Less “pilot” and more “prototype”.
Less short-term experimentation, more intentional design for longevity.

Yet we cannot ignore the tension. Education is, rightly, risk aware. Every decision affects a child who only gets one chance.

So the question becomes: how do we create space to innovate without compromising that responsibility?

The answer seems to lie in structure. Clear guardrails, strong professional judgement, and cultures that allow thoughtful experimentation. Not reckless change, but purposeful iteration.

The balance between guardrails and agency

This brings us to one of the most important leadership tensions in the system today: alignment versus autonomy.

Or perhaps more accurately, agency within guardrails.

The most compelling idea shared was that guardrails are not the enemy of innovation. They are its enabler, provided they are set thoughtfully and not too tightly.

Within those boundaries, professionals need the space to think, to act, and to lead. Not just senior leaders, but teachers, support staff, and ultimately students themselves.

Agency is not something we grant occasionally. It is something we must actively develop. That means helping people build the confidence and capability to make sound professional judgements, even in uncertainty.

If we get this right, leadership stops being something that sits in head offices and starts to live in classrooms.

Networks matter more than ever

Across the conversation, one message came through clearly. Networks are not a luxury. They are essential.

The most effective systems are those where knowledge flows. Across roles, across organisations, across regions. Where ideas are shared in progress, not just when perfected.

There was also a powerful reminder that the most valuable networks are often those beyond your immediate organisation. Spaces where you are not constrained by hierarchy. Where you can test thinking, challenge assumptions, and learn from difference.

In a system under pressure, these networks are where energy, creativity and hope are sustained.

The human challenge: talent, purpose and retention

No conversation about the future of education can ignore the challenge of retaining talent.

Workload matters. Structures matter. Technology can help. But beneath all of that sits something more fundamental.

Purpose.

When educators lose clarity of purpose, or feel constrained by systems that prevent them from doing what they believe is right for children, we should not be surprised when they choose to leave.

Equally, progression pathways need rethinking. Not every excellent teacher wants to become a senior leader. We must create models where expertise in the classroom is valued, developed, and rewarded.

If we are serious about retention, we must make teaching not just sustainable, but deeply fulfilling again.

Looking ahead: what must change

Looking forward, there was a shared sense that the system itself needs to evolve.

Accountability measures need to better reflect the world our young people are entering. Assessment needs to become more intelligent and less reductive. We need to value the human capabilities that technology cannot replace. Resilience, creativity, collaboration, empathy.

There is also a clear opportunity to harness technology not just in classrooms, but at a system level. To create better feedback loops. To connect insight across organisations. To move from reactive to predictive thinking.

But perhaps the most important aspiration was this: that teaching becomes a profession that is not only respected, but truly revered. A career of choice for the very best people, sustained over time because it is meaningful, supported, and human.

From vision to action

The final reflection stayed with me.

We can articulate a compelling vision for the future of education. But progress will not come from grand declarations alone.

It will come from daily decisions.

From leaders asking, in every interaction:
Does this move us closer to the system we want to create?

From creating space to think differently.
From being brave enough to challenge what no longer serves us.
From choosing collaboration over competition, even when it is harder.

The future of education in England will not be delivered by policy alone. It will be shaped by the collective actions of those working within it.

A call to the system

If there is one thing this conversation reinforced, it is that the answers do not sit in any one organisation.

They sit between us.

That is why spaces for genuine dialogue matter more than ever. Spaces where leaders can share openly, challenge thoughtfully, and think together about what comes next.

My thanks to Ben and Steve at EduFuturists for facilitating such a rich and energising conversation. And to Shonogh, James and Gemma, whose purpose, passion and perspective made it both insightful and inspiring.

At TransforMATive, we are committed to creating those spaces.

If this reflection resonates, I would encourage you to join one of our Roundtable networking dinners. They are designed to bring together leaders from across the sector to continue exactly these kinds of conversations. Honest, practical, and grounded in real experience.

And if you want to explore how we can support your organisation or connect you into the wider network, get in touch.

The future of our system will be shaped together. Let’s continue the conversation.

Watch the webinar here

Listening to Jane Simpkins (Head of Teaching and Learning) present Waterton Academy Trust’s teaching and learning framework, what stood out immediately was the clarity and discipline behind it. This is not a collection of initiatives. It is a coherent, evidence-informed approach built on strong foundations such as the EEF, cognitive science and Rosenshine’s principles.

Naturally, I wanted to reflect on this through a digital lens so this post will attempt to converge the Teaching and Learning framework with Porters Value Chain model using technology as an enabler.

At its core sits a simple structure: design, engage, reflect. Clear, practical and rooted in what works.

As trustees, our role is not to lead pedagogy. It is to ensure that what is being implemented delivers impact. That means outcomes for children, not activity for its own sake.

Which leads to an important question.

Where does technology genuinely add value in this model?

---

Technology as an Enabler

There is a tendency across the sector to position technology as a driver of change. In reality, the framework Jane outlined makes something very clear. The driver is high quality teaching, grounded in evidence.

Technology has a role, but it is an enabling one.

From a strategic perspective, every decision around digital should align to Porter’s value chain. It should strengthen how the organisation creates value, not introduce complexity or distraction.

That means focusing on areas such as:

• improving curriculum delivery
• strengthening teacher capability
• enhancing assessment and feedback
• providing better insight for leadership

If a digital investment does not support one of these, it is unlikely to deliver meaningful educational value.

---

Where Technology Can Strengthen Practice

Jane’s focus on retrieval, spacing, cognitive load, metacognition and oracy provides a strong foundation. These are proven approaches. The opportunity is to use technology to embed them consistently and at scale.

Retrieval Practice

Retrieval is rightly gaining attention because it works.

Technology can support this through:

• simple, low stakes quizzing tools
• consistent retrieval routines across classrooms
• insight into gaps in knowledge

The value is not the tool itself. It is the consistency and visibility it enables.

---

Managing Cognitive Load

Reducing cognitive overload is critical for effective learning.

Technology can help by:

• standardising lesson resources and structures
• supporting modelling through visualisers or recorded explanations
• allowing pupils to revisit content at their own pace

This improves the quality and consistency of teaching without adding unnecessary burden.

---

Oracy and Inclusion

Oracy was positioned as a golden thread across the trust. This is particularly important for disadvantaged pupils.

Technology can support this through:

• tools that allow pupils to record and reflect on their thinking
• collaborative platforms that encourage participation
• support for vocabulary development

The outcome is improved engagement and stronger access to the curriculum.

---

Metacognition and Feedback

Helping pupils understand how they learn is powerful but requires structure.

Technology can enable:

• self assessment and reflection over time
• clearer feedback loops
• better tracking of progress

This supports independence and provides teachers with more meaningful insight.

---

Governance and the ‘So What’ Question

One of the strongest messages in the session was the importance of asking, “So what?”

Technology can support governance by:

• providing clearer, more timely data
• linking teaching approaches to outcomes
• enabling better conversations at board level

The aim is to move from reporting activity to understanding impact.

---

A Strategic Discipline

There is a risk that digital strategy becomes driven by tools rather than purpose.

As trustees, we should remain disciplined. Not every digital decision needs to be a pedagogical one.

Instead, we should be asking:

• Does this improve the quality of teaching?
• Does it reduce unnecessary workload?
• Does it improve consistency across the trust?
• Does it lead to better outcomes for pupils?

If the answer is unclear, then the case for change is weak.

---

Final Reflection

What Jane presented was not complex, but it was rigorous. That is where its strength lies.

Technology should not sit alongside this work as something separate. It should sit beneath it, quietly enabling it to scale, to embed and to sustain.

From a trustee perspective, the priority is straightforward.

Every decision, including digital, should strengthen the organisation’s ability to deliver high quality education.

And ultimately, it should always come back to one question.

What difference is this making for our children?

In the schools sector we often talk about growth. More schools, more scale, more influence. But growth alone is rarely the right question.

Listening to Alan Warboys speak about the proposed merger between Accord Multi-Academy Trust and Maltby Learning Trust was a useful reminder that the real question is always why.

Throughout the two-year process, the leadership teams have kept returning to a single test:

Will this be the best thing for our children and communities over the next ten years?

That framing matters. It shifts the conversation away from organisational mechanics and towards long-term impact.

A merger of equals is harder but healthier

Accord, with five schools in Wakefield, and Maltby Learning Trust, with seven schools across Doncaster and Rotherham, are broadly similar in size and performance. Rather than one trust absorbing the other, the intention has been a merger of equals.

That makes things more complicated.

Governance needs redesigning. Structures need negotiating. Cultural assumptions need surfacing. Compromise becomes unavoidable.

But it also forces deeper collaboration. If neither organisation is taking over, both have to build something new together.

Start with the non-negotiables

One of the most practical lessons from the session was the importance of early clarity.

Before progressing, both trusts defined:

• what they wanted from the merger
• what they would not compromise on
• where compromise would be necessary

Key principles included preserving school identity, retaining key staff, and aligning strategy and governance without destabilising existing improvement work.

Without that clarity, the inevitable complexity of a merger can easily become conflict.

Integration happens at different speeds

Operational alignment can happen relatively quickly. Educational alignment should not.

The trusts began integrating teams early, aligning systems such as MIS and finance, and designing a shared services model. Notably, they intentionally moved away from the term central team. It is a useful reminder that the organisation exists to serve schools, not the other way around.

But when it came to school improvement, the approach was deliberately cautious.

Both trusts already had strong models. Rather than impose one immediately, they designed a three-year integration period. The aim is to identify the “golden thread” between them and gradually align practice over time.

That kind of patience is rare but probably wise.

Governance is the backbone

Another strong theme was the role of trustees.

Sub-committees from each trust worked together. An external review tested organisational compatibility. A shadow board brought trustees from both organisations into joint decision-making.

In many ways, governance led the process rather than simply approving it.

People first

Perhaps the most important message was about people.

Staff consultation has been extensive. Central teams have worked together early. Trade unions were brought into a joint forum. Leadership teams have collaborated across both trusts long before the merger completes.

You cannot merge organisations without bringing people with you.

Purpose, place and the next decade

Ultimately, the ambition is not simply a larger trust.

It is a place-based partnership with greater capacity, stronger leadership pipelines, and improved opportunities for pupils across the region.

That ambition is grounded in three ideas that kept resurfacing during the session:

• People – supporting and retaining the staff who make schools work
• Place – strengthening local partnerships and communities
• Purpose – improving outcomes for children

Scale, when it comes, should serve those things, not replace them.

In a sector where mergers are becoming more common, Warboys’ reflections felt like a useful compass.

Start with purpose.
Be clear about what matters.
Move carefully where it counts.

And always keep the ten-year question in view.

A final thought on digital

One theme that often sits quietly beneath mergers like this is digital transformation.

Aligning systems, integrating data, rationalising platforms, and designing shared services all depend on technology decisions. These choices shape how efficiently the new organisation operates and how easily schools can work together.

It raises an important question for any trust considering a merger:

Who is leading the digital transformation that sits alongside the organisational one?

The technical work often determines how smooth the integration feels for staff and schools.

If your trust is navigating a merger, or considering one, and thinking about the digital implications, it would be great to talk. At Transformative we work with trusts on exactly these challenges, helping leaders align technology, strategy and operations during periods of structural change.

If we can be helpful, please do get in touch.

We recently brought together sector leaders and specialists for a webinar on cyber resilience in education. What emerged was not another technical conversation about firewalls and compliance checklists. It was a much more fundamental discussion about safeguarding.

If we are honest with ourselves, cyber security and safeguarding are no longer separate conversations. They are inseparable. And there are some uncomfortable truths that education leaders need to confront.

1. Cyber incidents become safeguarding failures

A serious cyber incident is not simply an IT problem. It is a safeguarding issue from the moment systems go down.

If a trust loses access to pupil data, care plans, safeguarding records or parental contact details, it loses its ability to coordinate support for vulnerable learners. If the systems that hold what many refer to as the grab bag are unavailable, staff cannot act with confidence or speed. That creates a material safeguarding risk.

Ransomware does not just lock files. It disrupts the operational fabric that protects children and staff. When we separate cyber risk from safeguarding risk, we create blind spots. They must be discussed together at board level, not in isolation.

2. We underestimate operational fragility

Many organisations still believe a cyber breach means a few days without laptops. The reality is far more complex.

A major ransomware attack can affect:

• Cloud-based telephony and critical communications
• Building Management Systems and door access controls
• Payroll and finance operations
• Catering systems and payment processes

If pupils cannot be charged for meals, the financial implications mount quickly. If access control systems fail, that becomes a site safety issue. If payroll is disrupted, staff confidence is damaged.

Modern education is deeply dependent on interconnected digital systems. Over time, workflows become automated and undocumented. When they fail, organisations discover just how much tacit knowledge has been embedded in technology. The gaps that appear are often deeper than expected.

Operational fragility is not theoretical. It is real, and it is growing.

3. Identity and suppliers are the real front line

The biggest risks are not always where we expect them to be.

Identity management has become central to how schools and trusts operate. Single Sign-On simplifies life for users and IT teams. But it also increases the blast radius. If one identity is compromised, access to multiple systems can follow.

We are also seeing compromised student accounts being used to phish staff and peers. That changes the threat model. The attacker no longer appears external. They appear familiar.

Then there is the supply chain. Catering providers, building management suppliers, outsourced services, all connecting devices and systems to the network. Each connection represents a potential entry point.

Too often, due diligence stops at contractual paperwork. Cyber maturity of suppliers is assumed rather than assured. In practice, that can leave an open door into core systems.

If we want to improve resilience, we need to treat identity and supplier governance as strategic priorities, not operational afterthoughts.

4. Compliance theatre is not resilience

Annual training sessions and policy sign-offs may satisfy an audit requirement. They do not create resilient organisations.

Ticking a box once a year is compliance theatre. It gives a sense of control without delivering it.

Real resilience is educational in the truest sense. It is:

• Continuous, delivered in small and regular interventions rather than a single annual event
• Contextual, grounded in real phishing attempts and real incidents experienced by the organisation
• Tested, using simulations and short assessments to identify higher risk users and support them properly

Cyber threats evolve constantly. Our approach to awareness must evolve too. If we treat it as a static compliance exercise, we will always be behind.

Moving from awareness to action

The conversation closed with a practical focus on partnership. Education organisations do not need more abstract guidance. They need accessible, specialist support that understands both safeguarding and cyber risk.

Models that provide enterprise-grade protection at a price point education can sustain are essential. The ambition should be simple. Deliver Tier 1 capability at Tier 3 commercials so that strong cyber resilience is not a luxury, but a baseline.

Transformation in education is digital by definition. Safeguarding in education must now be digital by design.

If we are serious about protecting learners and staff, cyber resilience has to move from the IT agenda to the leadership agenda. That is where real change begins.

We can’t put the Genie back in the bottle…

Google DeepMind’s Project Genie (a research prototype), powered by the Genie 3 model, is more than an impressive technical demonstration. It exposes a deeper question about education. It’s current only available to Google Ultra users in the US however I’ve been thinking of the potential opportunities and some of the associated risks for such technologies.

Our school system was designed for a world where information was scarce. In many ways, we educated children and young people to memorise content, follow prescribed procedures, and produce standardised answers (a broad generalisation, I know, but bear with me). While this approach has clear strengths in promoting equity, consistency, and academic rigour, it’s worth asking: is it still fit for the future?

We now live in an age of information abundance. The cost of generating explanations, modelling systems and synthesising ideas has collapsed thus making knowledge and information more accessible than ever before. I’m not suggesting this is a good or bad thing but more an appreciation of the reality.

If AI reduces the cost of cognition, and education exists to build cognition, then we must rethink what building cognition actually means.

From Content to Systems

Project Genie allows users to create and explore interactive worlds. Instead of reading about a system, pupils can build and test one. Instead of describing cause and effect, they can experience it.

This moves learning from content recall to systems thinking.

Students could simulate:

• Climate feedback loops
• Urban planning trade-offs
• Economic policy decisions
• Historical turning points

They would not simply learn facts. They would reason within complexity.

Building Judgement and Agency

Genie also creates space for ethical and strategic decision making. Simulated environments could explore AI governance, public policy or resource allocation dilemmas. Pupils would need to decide, defend and reflect.

This develops judgement, not just knowledge.

It also supports human and AI collaboration. Students prompt, refine and challenge the model. They learn to supervise AI rather than outsource thinking to it. That distinction matters.

Implications for England

England is at a crossroads. We face curriculum reform, workforce disruption and growing pressure to embed AI literacy.

Project Genie as one use case example could offer an opportunity to:

• Shift towards studio-based, problem-led learning
• Develop systems literacy across subjects
• Embed ethics into mainstream education
• Assess reasoning rather than rote performance

The risk is that we treat it as just another digital add-on. The opportunity, however, is to reimagine learning around agency, responsibility, and deeper thinking. At the same time, there is a clear and fundamental need to prioritise AI safety and strong governance of emerging technologies, supported by appropriate regulation and safeguards. All of this must sit alongside the ever-present considerations of equity and access.

The Real Question

If digital systems are better at sharing information, then the purpose of schooling must evolve.

We should be building:

• Judgement
• Responsibility
• Social intelligence
• Ethical reasoning
• The ability to think within complex systems

Project Genie is powerful not because it entertains, but because it allows pupils to wrestle with complexity.

In 2026, I think that is the skill that will matter most…

NB://This article is exploratory and not a recommendation for specific technology adoption.

Recent industry commentary has highlighted a significant shift in vendor pricing terms, with some major manufacturers reserving the right to adjust pricing up to the point of shipment.

For many in the channel, this represents more than contractual fine print. It signals a structural change in how hardware is bought, sold and governed.

Across the public sector in particular, we are increasingly aware of scenarios where:

• Quotes have been evaluated under recognised procurement frameworks.
• Preferred suppliers have been selected through compliant processes.
• Board approvals have been secured in line with financial regulations.
• Purchase orders have been formally raised.

Only for vendors to subsequently refuse acceptance at the quoted price, citing supply chain cost increases.

In some cases, the uplift has been material.

Where this happens, the implications extend far beyond commercial inconvenience. They trigger governance reviews, delay delivery programmes, and force organisations into contingency planning exercises; sometimes resulting in alternative suppliers being appointed at different price points purely because they can guarantee stock and price certainty.

Why This Is Happening

The wider context matters.

Global demand, particularly driven by AI infrastructure, has reshaped component supply chains. Memory, GPU and other key hardware markets have experienced volatility not seen in recent years. Vendors are managing risk exposure, and some are embedding ‘greater flexibility‘ into their Ts & Cs as a result.

However, that flexibility moves pricing risk downstream.

For organisations operating within structured procurement and governance frameworks, especially in education, healthcare and wider public services, price certainty is foundational. It underpins:

• Budget approvals
• Audit trails
• Regulatory compliance
• Board-level accountability

When a quoted and accepted price is no longer guaranteed, the governance model itself comes under strain.

Why This May Worsen Before It Improves

There is growing concern within the sector that this is not a short-term anomaly.

If demand pressures continue and vendors normalise shipment-date repricing clauses, we may see:

• Increased volatility in large hardware procurements
• Reduced quote validity windows
• Greater pressure on procurement timelines
• More frequent re-evaluation exercises post-approval

In the short and medium term, this environment is unlikely to stabilise quickly.

Organisations planning significant hardware investments, particularly infrastructure that underpins the safe and effective running of services, should assume continued volatility.

What Organisations Should Be Doing Now

At TransforMATive, we are proactively advising sector leaders to adjust their planning assumptions.

This does not mean panic. It means preparation.

1. Communicate Market Volatility at Board Level

Boards and finance committees need to understand that hardware markets are currently dynamic. Pricing risk should be clearly articulated early in business case discussions, particularly where approval cycles are lengthy.

Price certainty can no longer be assumed.

2. Consider Budget Tolerances

Where possible, organisations should:

• Build defined tolerance thresholds into capital budgets.
• Stress-test business cases against potential cost movements.
• Assess whether staged procurement reduces exposure.

The lowest evaluated price may not represent the lowest overall risk.

3. Review Procurement Timelines

Extended governance cycles increase exposure to market shifts. Organisations should consider:

• Aligning procurement timing more closely with stock availability.
• Confirming price protection terms explicitly.
• Understanding supplier inventory position as part of evaluation.

In some cases, certainty of stock may outweigh marginal price differences.

4. Develop Contingency Plans Early

For infrastructure that underpins safeguarding, data security, or operational continuity, contingency planning should be part of the initial procurement strategy, not an afterthought.

This may include:

• Identifying alternative suppliers.
• Assessing refurbished or certified second-user options where appropriate.
• Considering phased deployment models.
• Exploring cloud or consumption alternatives if suitable.

The key is resilience.

A Shift in Risk Weighting

Historically, framework-based procurement has prioritised compliance, transparency and value for money, with price certainty as a given once a contract is awarded.

If shipment-date repricing becomes embedded practice, organisations will need to evolve how they evaluate “best value”. Risk management, stock position and contractual protection will become more prominent factors in award decisions.

The sector is navigating a period where certainty itself carries value.

Looking Ahead

Technology transformation will not pause. Devices still need to be deployed. Infrastructure still needs to be refreshed. Services must continue to run safely and effectively.

But the environment in which procurement operates is changing.

Our role at TransforMATive is to help organisations anticipate these shifts rather than react to them. By factoring volatility into planning, communicating risk clearly at board level, and embedding contingency thinking into procurement strategy, organisations can remain compliant, resilient and in control, even in uncertain markets.

The conversation now is not simply about price.

It is about preparedness.

You can read a market blog post here

---

In our final forum of the 2025 programme, we turned our attention to practical automation and how Trusts can make smarter use of the existing tools embedded within Microsoft and Google ecosystems. These platforms (Google Apps Script within Workspace and Power Automate within Microsoft 365) offer powerful, often underutilised capabilities that can meaningfully reduce the administrative burden tied to information governance and data protection responsibilities.

When it comes to statutory requests such as Subject Access and Freedom of Information, many Trusts still rely on spreadsheet-based logs. By introducing some light-touch automation, you can significantly streamline these processes. A simple form can collect request details directly from staff, parents, or pupils, feeding data straight into your log. From there, automated workflows can assign unique reference numbers, alert the appropriate academy or Trust stakeholders, calculate response deadlines, generate folder structures for evidence collation, and send periodic reminders based on the date of submission. They can even issue the initial acknowledgment email to the requester without manual intervention. To support this, you may wish to configure lookup tabs within your log that direct automation to the correct recipients and folder pathways based on the academy or department involved.

A similar approach applies to data breach management. Beginning with a form ensures consistent data capture, and automation can then assign references, pre-populate core sections of your investigation template, grant editor access to the investigation lead and notify those responsible for oversight. Scheduled reminders help ensure incidents continue to progress and aren’t inadvertently left unresolved.

The examples we explored during the AI & Data Protection forum represent only a fraction of what’s possible. Once you begin applying automation to routine governance tasks, it quickly becomes clear how much time and effort can be reclaimed, both for information governance teams and for colleagues across your wider organisation.

Thank you to everyone who has taken part in the AI & Data Protection forum throughout 2025. It has been a pleasure to learn from your experiences and to see the thoughtful, practical work happening across Trusts. The forum will be taking a hiatus during 2026, but we anticipate returning in some form in the future. Until then, keep up the excellent work, and do reach out to TransforMATive if you need support, whether for a small, immediate objective or a long-term strategic project.

Last week at the forum we discussed the statutory requirements for an Article 30 Record of Processing Activities (ROPA). Every organisation with data protection obligations has its equivalent of the Single Central Record (SCR), and in the world of data protection, that’s your Article 30 Record of Processing Activities. The Information Commissioner’s Office (ICO) considers this a crucial document and will often ask to see it during certain types of investigations.

While there are many complex systems available to help you manage this, in all honesty, a well-structured spreadsheet can often suffice. Beware of any vendor claiming their product is a ‘golden ticket’ as there will always be critical, specific fields that only your team can populate accurately.

The Statutory Requirements: What Article 30 Demands

The bare minimum requirements for your ROPA are clearly set out in Article 30 of GDPR. You must include the following mandatory fields:

1. Controller and DPO Details: The name and contact details for the controller, and where applicable, the joint controller, representative, and Data Protection Officer (DPO).
2. Purposes of Processing: A clear statement on why you are collecting the data.
3. Categories of Data: A description of the categories of data subjects (e.g., Pupils, Parents, Staff) and the categories of personal data collected (e.g., Name, DOB, Health data, NI Number).
4. Recipients and Transfers: The categories of recipients who have or will receive the personal data, including those in third countries or international organisations.
5. International Transfers: Details of any transfers outside of the UK (which should also involve considering your data processors’ storage locations), including the identity of the country/organisation and the documentation of suitable safeguards (such as SCCs, adequacy decisions).
6. Erasure Time Limits: Where possible, the planned time limits for erasure for the different data categories (e.g. 6 years, 12 months, or a link to your full retention policy).

Security Measures: Where possible, a general description of the technical and organisational security measures. Here we should be thinking about access controls like passwords, MFA, granular permissions, and locked cabinets.

Elevating Your ROPA: Best Practice Fields

To make your ROPA a truly useful asset, we recommend capturing the following additional, best-practice fields:

• Information Asset Owner: The senior individual responsible for the specific data set.
• Storage Location: Where the data physically resides, such as MIS, CPOMS, or a specific folder within SharePoint or Google Workspace.
• Lawful Basis: The Article 6 Lawful Basis you are relying on.
• Special Category Exemption: The Article 9 special category exemption, if applicable.
• Privacy Notice Details: The name of the privacy notice covering this processing and when it is supplied to the data subject.
• Consent/LIA Location: A link to or a description of where the consent form or Legitimate Interests Assessment (LIA) is stored.
• Access/Sharing: Who has internal access, whether the data is shared, and whether it is published.
• Disposal Responsibility: Who is responsible for disposal and the method (e.g. secure shredding of paper, electronic system disposal).
• Processor Organisation: Details of any processors involved.
• System Details: Comprehensive details of the system storing the data including name, general description, contract status, vendor contact details, format (electronic/hard copy) and how data is transferred out of the system. These should be set up as different columns for ease of reference.

The Underappreciated Benefits of a Complete Register

A completed ROPA offers far more than simply satisfying a legal requirement. It provides underappreciated operational benefits that can significantly strengthen your data protection posture:

• Faster Data Breach Response: It’s a quick reference document to identify the data types involved in a breach without needing to query colleagues or access the system. It helps you quickly identify and reach out to affected colleagues in other schools or business units.
• Improved Privacy Notices: The ROPA clearly outlines the information that must be reflected in your notices.
• Access Reviews: It facilitates regular checks to ensure access controls are adequate and that staff members only have access where there is a legitimate business need.
• Promotes Data Awareness: The process forces colleagues across the organisation to actively think about what personal data they hold.
• Data Location and Retention: You will know exactly where all your personal data is located and who is responsible for ensuring compliance with retention periods.
• DPIA and Processor Tracking: It can highlight the need for further Data Protection Impact Assessments (DPIAs) and provides a mechanism to track and perform due diligence on processors and sub-processors.
• Knowledge Gap Analysis: It exposes areas where colleagues lack understanding such as not controlling disposal, lack of access controls, or processing without a clear lawful basis.
• Sharing and Risk Assessment: It helps you identify when data is being shared without a Data Processing Agreement (DPA) or Data Sharing Agreement (DSA) and whether the sharing method is considered ‘high risk’.

Finally, if you conduct internal audits, the ROPA serves as a valuable reference document. You can conduct sample checks on rows to ensure the data in the ROPA matches the live system, enabling a process of iterative improvement.

Q&A Session

In many instances completing a ROPA is a retrospective exercise. It relies on unravelling the complex web of data flows and contracts whilst at the same time reacting to new processing activities across a range of areas. How do we make this more manageable?

The initial population of a ROPA can be a daunting and laborious task. Given that the requirement to populate came into force in May 2018 many organisations are now completing this retrospectively. It’s easy to get bogged down with the subprocessors and in turn their own subprocessors which can lead to losing sight of the purpose of the document. Analysis of the subprocessor tree is better suited for documenting within your due diligence vendor assessments and any DPIA’s that you conduct. For the purpose of the register focus on the locations (both electronic and hardcopy) where personal data is held and then work backwards from there documenting the information within those systems. If you are using a spreadsheet then don’t overload each row. For example it’s often easier to split data sets into separate entries on your register when:

• They are stored in multiple locations (have a row for the pupil data in your MIS and another for the same data you might have in Google Workspace / Share Point)
• There are physical copies as well as electronic (you’ll have different storage locations and access controls for each).
• The classes of data subject require different lawful bases for the processing (you might want a row for the employee data in the MIS as well as a separate row for Pupil/Parent data).

Remember to document the main system that the data is stored in and the processor of that data. There’s no need to add extra rows to cover sub-processors which may have access to small subsets of the overall data set. Realistically this should be information on the processor’s information asset register.

To make population and maintenance more manageable:

• Simplify the Process: If you are using a spreadsheet, use data validation features to create drop-down menus for fields with a limited number of possible options.
• Delegate Responsibility: This is an organisational responsibility, not solely the burden of the DPO and their team. Unless your Trust retains complete control over all systems, you should not attempt to do it all yourself.
• Appoint Leads: For medium-sized Trusts and above, we strongly recommend appointing a data protection lead in each academy and business unit. These individuals should be responsible for populating the types and locations of data as a bare minimum.

Provide Guidance: Prepare an example sheet illustrating best practice for both your academies and Central Business Units.

Final Thoughts

Creating and maintaining an effective ROPA isn’t about chasing perfection or compiling every conceivable detail. It’s about establishing a clear, accurate, and functional picture of how personal data moves through your organisation. By focusing on statutory essentials, enhancing your register with practical best practice fields, and keeping the process simple and collaborative, you transform the ROPA from a compliance obligation into a powerful operational tool. With defined responsibilities, sensible structure, and ongoing engagement across teams, your register becomes a living document that strengthens governance, sharpens awareness, and supports confident, proactive data protection practice.

Join us next month where we’ll be looking at how your organisation can use automation to improve your data protection and AI governance processes. To register for the AI & Data Protection form on Friday 5 December please click this link!

I walked into Google’s London office with a simple aim. Could we move the conversation on from tools to value. By the end of the morning it was clear that the answer is yes, but only if we are honest about where we are and deliberate about where we are going.

We started with a tour of what is now possible. Gemini continues to mature at pace, from image and video generation to deep research and code on canvas. New workflow features promise to stitch everyday tasks together. That was exciting, but the best moment came when we looked past the feature list and into the architecture and guardrails that make this safe for schools. Enterprise deployment, data residency, sandboxing and clear human approval points. That is where confidence grows.

The highlight for me was a practical AI agent story. A simple HR assistant that answers routine questions, checks policy and prepares actions has already given real hours back each week. Nothing flashy. Just a clear problem, a small pilot and a measurable outcome. It reminded me that transformation is rarely a single leap. It is a series of well chosen steps that build trust and capability.

Across the room we heard the same pressures. Funding in real terms, staffing churn and the paradox of doing more with less. The easy response is to chase the next shiny tool. The harder and better response is to design our digital estate with the same seriousness we give to our buildings. Name the architect. Decide what good looks like. Integrate systems. Improve data quality. Measure the experience of staff and pupils, not just the cost line.

We used a value compass to ground our choices. Yes, efficiency matters. So does risk reduction, staff and pupil experience and, for some, new revenue models. When leaders frame decisions through that lens, conversations move from technology to strategy, which is where they belong.

If there was a single word that captured the day it was intent. Hope is not passive. It is choosing the next right step and taking it together. Our next steps are clear. Define the data leadership approach. Audit the digital estate. Pilot one safe AI agent with human approval in the loop. Share what works so we all move faster. My thanks to our speakers and to everyone who gave their time and thinking. The energy in the room was real. Now we turn it into outcomes.