GDPR and Data Protection

GDPR and Data Protection

The General Data Protection Regulation (GDPR) is a piece of EU-wide legislation which determines how people’s personal data is processed and kept safe, and the legal rights individuals have in relation to their own data. 

‘Personal data’ means information that can identify a living individual. 

The regulation applies to all schools from 25 May 2018, and will apply even after the UK leaves the EU. 

Main principles

The GDPR sets out the key principles that all personal data must be processed in line with.

• Data must be: processed lawfully, fairly and transparently; collected for specific, explicit and legitimate purposes; limited to what is necessary for the purposes for which it is processed; accurate and kept up to date; held securely; only retained for as long as is necessary for the reasons it was collected

There are also stronger rights for individuals regarding their own data.

New requirements

The GDPR is similar to the Data Protection Act (DPA) 1998 but strengthens many of the DPA’s principles.

Further information on GDPR can be found on the ICO website.