Steps data protection officers and organisation heads of education providers should take to stay compliant with data protection laws when the UK leaves the EU.


All education providers will be a data controller or data processor and need to prepare for changes when the UK leaves the EU.

Read this guidance if you:

  • are the head of an organisation, a data protection officer (DPO), or are responsible for data within an organisation

  • transfer personal data between the UK and the EU, Iceland, Liechtenstein and Norway (EEA)

  • transfer personal data within the EU, Iceland, Liechtenstein and Norway (EEA)

This guidance is:

  • not designed to cover every incidence of where you process personal data

  • not designed to replace your own risk review

  • not a substitute for legal advice


General Data Protection Regulation (GDPR)

GDPR will be brought into UK law and the Information Commissioner will remain the UK’s independent supervisory authority on data protection.

The Data Protection Act 2018 will continue to apply to data transferred within or from the UK.

Personal data

Personal data includes, but is not limited to:

  • contact information about pupils, students, learners, staff and carers

  • health information

  • details about recipients of pupil premium

  • employee references

  • safeguarding information about an individual

  • passport information, if planning trips to the EU

  • pupil exam references and results

Data controller

Data controller means a person, company or other body that determines the purpose and means by which personal data is processed.

Educational establishments, such as schools, colleges and universities, are often data controllers in their own right.

Data processor

Data processor means anyone who handles personal data on the instructions of a controller. Examples include, storing, collecting or analysing data as part of a service provided to the controller.

Data protection officer

GDPR requires all organisations to appoint a data protection officer. Data protection officer duties include advising on data protection obligations, monitoring internal compliance and providing advice on data protection impact assessments. Read the ICO guidance about data protection officers.

Steps you should take

These steps will help you plan how you can continue to share and receive personal data lawfully.

You should:

  • continue to carry out your own risk review

  • get legal advice if you are not sure

  • make sure you are complying effectively with GDPR

  • use the ICO free web resources to determine what changes, if any, you may need to make

There will be no immediate changes to data protection law or any new restrictions on sharing data with the EU, Iceland, Liechtenstein, or Norway, from 1 February 2020.

Sharing data with the EU, Iceland, Liechtenstein and Norway

Contact anyone you share personal data with within the EU, Iceland, Liechtenstein or Norway.

You should explain you can still share personal data lawfully with them once the UK leaves the EU.

Receiving data from the EU, Iceland, Liechtenstein and Norway

Identify where you receive data from the EU, Iceland, Liechtenstein, or Norway, and determine:

  • who the data controllers and processors are

  • where the data is stored

Contracts: new and existing

Ensure that contracts, which include the processing of personal data in the EU, provide the additional safeguards required.

This applies to:

  • existing contracts

  • new contracts you put in place after the UK leaves the EU

Data Protection Impact Assessments (DPIA) and privacy notices

Review and update with your data protection officer (or whoever has responsibility for data protection in your organisation):

Make sure they:

  • are up-to-date

  • reflect any changes you are making to your ways of working

Further information

Read the guidance on the Information Commissioner’s Office website for more information on data protection.

Published 27 March 2019
Last updated 31 January 2020 + show all updates

  1. Updated with data protection actions education providers should continue to take.

  2. Format updates have been made to highlight actions that people need to take. A link has also been added that allows people to sign up for email alerts to get the latest information about Brexit.

  3. First published.