UK GDPR: make sure your suppliers are compliant

You must make sure that any third parties that process personal data for your school meet UK GDPR requirements. See the steps you'll need to take, and download our checklist for your provider contracts.

Last reviewed on 3 May 2023
School types: AllSchool phases: AllRef: 34452
Contents
  1. Make sure your 'data processors' comply with data protection law
  2. Get 'sufficient guarantees' that they follow data protection law
  3. Continue to check processors’ compliance
  4. Check your contract includes the minimum requirements

Make sure your 'data processors' comply with data protection law

Data processors are third parties that process personal data on your behalf and under your instructions. They may include:

  • Payroll providers
  • School club providers

You must make sure your data processors comply with the UK General Data Protection Regulation (UK GDPR). See the section below for details on how to do this.

You don't need to do this for 'data controllers'

Data controllers are the main decision-makers, exercising overall control over how the personal data is processed. They may include:

  • Contractors
  • Awarding bodies
  • Other schools or trusts

This information comes from the ICO. Take a look at its guidance if