25% off on anonymous reporting and safeguarding tools for schools - click to find out more
  1. Catalogue
  2. Resources
  3. GDPR Guidance for Schools and Colleges
  4. Part 2 - Background to the GDPR

Part 2: Background to the GDPR

The General Data Protection Regulation, known as the GDPR, came into effect on 25 May 2018. In the UK, it is applied through the Data Protection Act 2018. This means that, whether or not the UK is a member of the EU, the main requirements of the GDPR, with some small changes, form part of UK law.

The GDPR is the law that sets out how Personal Data must be protected.

It applies to the Personal Data of natural persons, who are referred to in the GDPR as Data Subjects.

A key purpose of the GDPR is to protect the fundamental rights of Data Subjects, including their right to have their Personal Data handled properly.

Important GDPR Definitions

Understanding a few core GDPR terms makes the rest of the guidance much easier to follow.

What is Processing?

Processing means anything you do with Personal Data.

This includes collecting it, recording it, organising it, storing it, changing it, using it or sharing it.

What is Personal Data?

Personal Data is any information that relates to a living person and can identify them, either on its own or when combined with other information.

In GDPR language, that person is called a Data Subject.

What is a Data Controller?

A Data Controller is the person or organisation that decides why Personal Data is being used and how it will be used.

In a school or college setting, this will usually be the organisation that makes the decisions about the use of pupil, staff or parent data.

What is a Data Processor?

A Data Processor is a person or organisation that processes Personal Data for a Data Controller.

This usually means they are handling the data on someone else’s instructions, rather than deciding the purpose for themselves.

Does the GDPR apply to schools and colleges?

Yes. The GDPR applies to schools and colleges in the UK.

The GDPR applies to organisations that act as Data Controllers or Data Processors, regardless of their main purpose, in the circumstances set out in Article 3. In broad terms, the GDPR applies where:

  • the Data Controller is based in the EU
  • the Data Processor is based in the EU
  • the Data Subject is based in the EU

This means the GDPR can apply even when an organisation is outside the EU. For example, if a Data Subject is based in the EU, the GDPR may still apply even if the organisation processing the data is based in the US or India.

There are some exceptions. The GDPR does not apply in the same way to processing carried out for:

  • activities not covered by EU law
  • purely personal or household purposes
  • the prevention, investigation or detection of crime

For schools, colleges and MATs, the practical answer is straightforward. If they are based in the UK, they are subject to the GDPR. Even schools and colleges outside the EU may be subject to the GDPR if the children using them are based in the EU.

The GDPR applies to Personal Data processed electronically. It also applies, in most cases, to Personal Data held in paper records.

Defining Personal Data

What counts as Personal Data?

Personal Data is any information that relates to a living person who can be identified directly or indirectly from that information.

This includes obvious identifiers, such as a person’s name or email address, but it also includes information that could identify someone when used together with other data.

Examples of Personal Data include:

  • a name
  • an identification number, such as a National Insurance number
  • location data, such as an address or GPS data
  • online identifiers, such as an IP address

In simple terms, if the information identifies a living person, or could be used to identify them, it is likely to be Personal Data.

What is Special Category Personal Data?

Under the Data Protection Act 1998, the term Sensitive Personal Data was used for certain types of information that could cause greater harm if handled improperly.

Under the GDPR, this is now called Special Category Personal Data.

As set out in Article 9.1, this includes Personal Data revealing:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership

It also includes:

  • data concerning health
  • data concerning sex life or sexual orientation
  • genetic data processed for the purpose of uniquely identifying a natural person
  • biometric data processed for the purpose of uniquely identifying a natural person

Under Article 9, processing Special Category Personal Data is prohibited unless specific conditions are met.

More detail on Special Category Personal Data is set out in Part 7 of the SWGfL GDPR guidance.

Key GDPR Principles

The key GDPR principles are set out in Article 5. These principles explain what good data protection looks like in practice.

Personal Data must be:

  • processed lawfully, fairly and transparently
  • collected for specified and limited purposes
  • adequate, relevant and limited to what is necessary
  • accurate and kept up to date, with mistakes corrected without delay
  • kept for no longer than necessary
  • processed securely using appropriate organisational and technical measures

What this means in practice

For schools, colleges and MATs, the GDPR is not just about legal definitions. It is about making sure Personal Data is handled properly, fairly and securely.

That means knowing what Personal Data you hold, why you hold it, how you use it, who you share it with and how long you keep it. It also means recognising when the data you handle is especially sensitive and needs additional protection.

SWGfL GDPR Resources Contents Page

Part 3 of the SWGfL GDPR Guidance