Information Governance

Keyboard with data protection button.

Data Protection Legislation 

The Data Protection Act (DPA) 2018 and the General Data Protection Regulation (GDPR) became law in May 2018, and regulate how organisations (including schools) must handle personal data, to ensure it is not misused. 

The GDPR is an EU regulation that sets out key principles, individual rights and obligations, which organisations handling personal data must comply with. The GDPR gives EU member states limited opportunities to make provisions for how it applies in their country and for the UK this is covered by the DPA 2018.

The DPA 2018 is a UK Act of Parliament. It updates data protection laws in the UK, including the DPA 1998 and supplements the GDPR by tailoring how the GDPR applies in the UK – i.e. it provides exemptions.

Because the DPA 2018 supports rather than enacts the GDPR, it is important that they are read side by side.

Some of the key areas requiring policy reviews and updated procedures include: lawful bases for processing, consent, privacy notices, records of processing activities, data protection impact assessments, data breach management and subject access requests.

The tabs below cover the key areas in relation to the GDPR and DPA, and are regularly updated to provide the latest advice and guidance tailored specifically to schools.