The UK GDPR: summary

The UK General Data Protection Regulation (UK GDPR) determines how you must process and store personal data – understand what you have to do and the principles of data processing.

Updated

on 12 June 2026See updates

School types: All•School phases: All•Ref: 30801

Contents

What is the UK GDPR?
Who does the UK GDPR apply to?
Your main responsibilities under the UK GDPR
The UK GDPR in more detail
Train your staff on data protection

What is the UK GDPR?

The UK General Data Protection Regulation (UK GDPR) is legislation that works with the Data Protection Act 2018 to form the UK's data protection laws.

It sets out the rules for how people’s personal data is processed and kept safe.

This legalisation has been modified by the Data (Use and Access) Act 2025, but most of the changes don't affect schools directly. Read our summary for more details.

What counts as personal data?

Personal data is information relating to a living individual who can be:

Directly identified from that information; or
Indirectly identified from that information in combination with other information

See the ICO's guide to personal information for more details.

Who does the UK GDPR apply to?

It applies to ‘data controllers’ and ‘data processors’.

You're still responsible for making sure that 'data processors' who process

What is the UK GDPR?

What counts as personal data?

Who does the UK GDPR apply to?

Want to continue reading?