UK GDPR: what governors and trustees need to do to be compliant

Schools must make sure their data processing complies with data protection law under the UK GDPR. Here's what your board needs to do to make sure you and your school are compliant, including a downloadable checklist to monitor compliance.

Last reviewed on 2 September 2022
School types: All · School phases: All
Ref: 32393
  1. Download our checklist
  2. Your whole board needs to understand the law
  3. Ask senior leaders for evidence of compliance
  4. Review your own data processing procedures
  5. Clerks: review your understanding of best practice
  6. Add data protection to your risk register
  7. Scrutinise the appointment of the data protection officer
  8. Designate a data protection ‘champion’
  9. Decide how you'll monitor UK GDPR compliance
  10. Local governing bodies in MATs: check your trust is compliant

The UK adopted the EU’s General Data Protection Regulation (GDPR) in 2018, but since the UK's withdrawal from the EU it has used its own version, known as the UK GDPR.

The UK GDPR works with the Data Protection Act 2018 (DPA 2018) to form the UK's data protection framework. Find out more in our summary.

As governors and trustees, you're ultimately responsible for data protection, and this article will help you make sure that you and your school/trust are compliant. It draws together advice from the Information Commissioner's Office (ICO) and 4 of our associate experts: Caroline Collins, Brendan Hollyer, Graeme Hornsby and Leon Ward.

Download our checklist

We've condensed the actions in this article into a checklist that your governing board can tick off: 

This is because you have collective responsibility for data protection. Even if you're lucky enough