You are here:

Last reviewed on 20 April 2021
Ref: 34452
School types: All · School phases: All

You must make sure that any third parties that process personal data on your behalf will do so in line with the UK GDPR’s requirements. See the steps you'll need to take, and download our checklist to make sure you include the right details in your provider contracts.

Make sure your 'data processors' comply with data protection law 

Data processors are third parties that process personal data on your behalf and under your instructions. They may include:

  • Payroll providers
  • School club providers

You must make sure your data processors comply with the UK General Data Protection Regulation (UK GDPR). See the section below for details on how to do this.

You don't need to do this for 'data controllers'

Data controllers are the main decision-makers, exercising overall control over how the personal data is processed. They may include:

  • Contractors
  • Awarding bodies
  • Other schools or trusts

Even if you share data with a controller, you don't need to ensure their UK GDPR compliance in the same way as you do with processors. However, if you have concerns about their security measures, raise this with the controller or with the Information Commissioner's Office (ICO).

Get 'sufficient guarantees' that they follow

More from The Key


Bitesize training with a big impact

Our on-demand training has your whole board covered and lets them learn at a time and pace that suits them.

Help your new governors hit the ground running with our expertly-designed induction training, and our role-specific courses support your link governors develop key skills and confidence in their role.


New eLearning: DSL refresher training

Your DSL’s training should be refreshed at least once every 2 years. 

Designed in collaboration with safeguarding experts, our 2.5 hour online refresher training course reminds DSLs how to put their knowledge into practice, with in-depth, real-world scenarios.


The Key has taken great care in publishing this article. However, some of the article's content and information may come from or link to third party sources whose quality, relevance, accuracy, completeness, currency and reliability we do not guarantee. Accordingly, we will not be held liable for any use of or reliance placed on this article's content or the links or downloads it provides. This article may contain information sourced from public sector bodies and licensed under the Open Government Licence v3.0.