The steps education providers must take to remain compliant with data protection laws when the UK leaves the EU.


Read this guidance if you:

This guidance is:

  • not designed to cover every incidence of where you process personal data

  • not designed to replace your own risk review

  • not a substitute for legal advice

Steps you must take

These steps will help you plan how you can continue to share and receive personal data lawfully.

You should:

  • continue to carry out your own risk review

  • get legal advice if you are not sure

Sharing data with the EEA

Contact anyone you share personal data with within the EEA.

You should explain you can still share personal data lawfully with them once the UK leaves the EU.

Receiving data from the EEA

Identify where you receive data from the EEA and determine:

  • who the data controllers and processors are

  • where the data is stored

Example: data controllers based in the EEA

If you’re running a school exchange with a data controller based in the EEA, you may want to consider whether standard contractual clauses (SCC) are suitable.

Use the Information Commissioner’s (ICO) free interactive tool to help you decide whether this is the case.

Example: when standard contractual clauses (SCC) are not appropriate

If standard contractual clauses (SCC) are not appropriate, the General Data Protection Regulation (GDPR) has other articles in it which will provide you with additional safeguarding measures.

You can find these in Article 46 and Article 49 of GDPR. More information can be found on the ICO website.

General Data Protection Regulation (GDPR)

GDPR will be incorporated into UK law if there’s a no-deal Brexit.

This and the Data Protection Act 2018 will continue to apply to data transferred within or from the UK.

Contracts: new and existing

Ensure that contracts, which include the processing of personal data in the EU, provide the additional safeguards required.

This applies to:

  • existing contracts

  • new contracts you put in place after Brexit

Data Protection Impact Assessments (DPIA) and privacy notices

Review and update your:

Make sure they:

  • are up-to-date

  • reflect any changes you are making to your ways of working

Stay up-to-date

This page tells you what to do if there’s a no-deal Brexit. It will be updated if anything changes, including if a deal is agreed.

Sign up for email alerts to get the latest information about Brexit.

Read the guidance on the Information Commissioner’s Office website for further information on data protection.


Personal data

Personal data includes, but is not limited to:

  • contact information about pupils, students, learners, staff and carers

  • health information

  • details about recipients of pupil premium

  • employee references

  • safeguarding information about an individual

  • passport information, if planning trips to the EU

  • exam pupil references and results

Data controller

Data controller means a person, company or other body that determines the purpose and means by which personal data is processed.

Educational establishments, such as schools, colleges and universities, are often data controllers in their own right.

Data processor

Data processor means anyone who handles personal data on the instructions of a controller, for example, storing, collecting or analysing data as part of a service provided to the controller.

Published 27 March 2019
Last updated 19 August 2019 + show all updates

  1. Format updates have been made to highlight actions that people need to take. A link has also been added that allows people to sign up for email alerts to get the latest information about Brexit.
  2. First published.