You must have policies and procedures in place
In March 2024, the DfE published new lists of statutory policies for both maintained schools (in the maintained schools governance guide) and academies, including free schools (in the academy trust governance guide). Data protection is not included as a statutory policy in these lists.
However, it is a legal requirement that your school has data protection policies and procedures in place. These should be regularly reviewed and updated.
You should also review your other statutory policies and documents with data protection in mind.
This is explained in the DfE's guidance on data protection.
You must also have privacy notices. If you collect biometric information from your pupils, your privacy notices should include information about how this data is processed and stored, including the rights of individuals relating to the processing. See page 11 of the DfE's guidance on protection of biometric information of children in schools.