Last reviewed on 19 April 2022
School types: All · School phases: All
Ref: 34452

You must make sure that any third parties that process personal data for your school meet UK GDPR requirements. See the steps you'll need to take, and download our checklist for your provider contracts.

Make sure your 'data processors' comply with data protection law

Data processors are third parties that process personal data on your behalf and under your instructions. They may include:

  • Payroll providers
  • School club providers

You must make sure your data processors comply with the UK General Data Protection Regulation (UK GDPR). See the section below for details on how to do this.

You don't need to do this for 'data controllers'

Data controllers are the main decision-makers, exercising overall control over how the personal data is processed. They may include:

  • Contractors
  • Awarding bodies
  • Other schools or trusts

This information comes from the ICO. Take a look at its guidance if