UK GDPR: what governors and trustees need to do to be compliant

Your school or trust's data processing practices must comply with data protection law under the UK GDPR. Know what your board needs to do to stay compliant, and download our checklist to monitor compliance.

Last reviewed on 12 May 2025
School types: AllSchool phases: AllRef: 32393
Contents
  1. Download our checklist
  2. Your whole board needs to understand the law
  3. Ask senior leaders for evidence of compliance
  4. Review your own data processing procedures
  5. Governance professionals: review your understanding of best practice
  6. Add data protection to your risk register
  7. Scrutinise the appointment of the data protection officer
  8. Designate a data protection ‘champion’
  9. Decide how you'll monitor UK GDPR compliance
  10. Local governing bodies in MATs: check your trust is compliant

The UK adopted the EU’s General Data Protection Regulation (GDPR) in 2018, but since the UK's withdrawal from the EU it has used its own version, called the UK GDPR.

The UK GDPR works with the Data Protection Act 2018 (DPA 2018) to form the UK's data protection framework.

Our summary of the UK GDPR explains more.

Download our checklist

As governors or trustees, you're ultimately responsible for data protection.

Use our checklist to help make sure your school or trust complies with the UK GDPR. It lists the actions in this article for your board to tick off: 

Download: UK GDPR compliance checklist for governors and trustees DOCX, 695.9 KB
Download

Your whole board needs to understand the law

Everyone on your board needs a strong baseline knowledge of your school/trust’s data protection duties and what the UK GDPR rules mean. This is because you have collective responsibility for data protection.

What the UK