Whilst it might not be a UK school, in Iceland a secondary school was recently fined 1.3 million Icelandic króna (about £8,124 or €8,945) for a personal data breach where a file containing sensitive student data had been attached in error to an email. Amongst other things, the Icelandic Data Protection Authority's decision identified a gap in GDPR Article 32 implementation by the school. This requires the controller to have security measures in place appropriate to the risk, which the school clearly didn't have.
This is the same legislation we have in place in the UK so it is clear that the ICO may well consider this as a benchmark for an future breaches by schools here at home. Don't get caught out - have clear policies in place, insist your staff comply with the law and are careful about the way they process personal data, and issue regular reminders about the need for effective compliance!