The General Data Protection Regulation (GDPR) is a piece of EU-wide legislation which will determine how people’s personal data is processed and kept safe, and the legal rights individuals have in relation to their own data. From 25 May 2018 it was applied to organisations that process or handle personal data, including schools.

It’s similar to the Data Protection Act (DPA) 1998 in many ways. Most of the differences involve the GDPR building on or strengthening the principles of the DPA.

Article 5, in chapter 2 (page 117), sets out six principles of data processing. These say that personal data must be:

• Processed lawfully, fairly and in a transparent manner
• Collected for specified, explicit and legitimate purposes
• Adequate, relevant and limited to what is necessary in relation to the purposes for which the data is processed
• Accurate and kept up to date
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed
• Processed in a way that ensures appropriate security of personal data.