UK GDPR: make sure your suppliers are compliant

You must make sure that any third parties that process personal data for your school meet UK GDPR requirements. See the steps you'll need to take, and download our checklist for your provider contracts.

Last reviewed on 25 April 2024
School types: AllSchool phases: AllRef: 34452
  1. Make sure your 'data processors' comply with data protection law
  2. Get 'sufficient guarantees' that they follow data protection law
  3. Continue to check processors’ compliance
  4. Check your contract includes the minimum requirements

Make sure your 'data processors' comply with data protection law

Data processors are third parties that process personal data on your behalf and under your instructions. They may include:

  • Payroll providers
  • School club providers

You must make sure your data processors comply with the UK General Data Protection Regulation (UK GDPR). See the section below for details on how to do this.

You don't need to do this for 'data controllers'

Data controllers are the main decision-makers, exercising overall control over how the personal data is processed. They may include:

  • Contractors
  • Awarding bodies
  • Other schools or trusts

This information comes from the ICO. Take a look at its guidance if

The Key has taken great care in publishing this article. However, some of the article's content and information may come from or link to third party sources whose quality, relevance, accuracy, completeness, currency and reliability we do not guarantee. Accordingly, we will not be held liable for any use of or reliance placed on this article's content or the links or downloads it provides. This article may contain information sourced from public sector bodies and licensed under the Open Government Licence v3.0.