The UK GDPR is the UK General Data Protection Regulation. It is a UK law which came into effect on 01 January 2021. It sets out the key principles, rights and obligations for most processing of personal data in the UK, except for law enforcement and intelligence agencies.
It is based on the EU GDPR (General Data Protection Regulation (EU) 2016/679) which applied in the UK before that date, with some changes to make it work more effectively in a UK context.
A great deal of the processing of personal data undertaken by schools will fall under a specific legal basis, ‘in the public interest’. As it is in the public interest to operate schools successfully, it will mean that specific consent will not be needed in the majority of cases in schools.
UK GDPR will ensure data is protected and will give individuals more control over their data, however this means schools will have greater accountability for the data
- Schools must appoint a data protection officer, who will advise on compliance with the UK GDPR and other relevant data protection law
- Privacy notices must be in clear and plain language and include some extra information – the school's ‘legal basis’ for processing, the individual’s rights in relation to their own data. Privacy notices for the school workforce, pupils, parents, volunteers can be found in our Policies section
- Schools will only have a month to comply with subject access requests
- Where the school needs an individual’s consent to process data, this consent must be freely given, specific, informed and unambiguous
- The Information Commissioner’s Office must be notified within 72 hours of a data breach
- Organisations will have to demonstrate how they comply with the new law
- Schools will need to carry out a data protection impact assessment when considering using data in new ways, or implementing new technology to monitor pupils