Brexit & Data Protection

Data Protection and ‘Brexit’ – business as usual for schools!

In May 2018, we saw a big shake up in the data protection legislation, resulting in the birth of the EU General Data Protection Regulation 2016 (GDPR) and the UK Data Protection Act 2018 (DPA 2018), which came into force the same day as GDPR. Schools are currently required to comply with both pieces of legislation.

What’s the difference between the two laws?

The GDPR is EU law that regulates the use of personal data in the European Economic Area (EEA). It applies to all public authorities (including schools) and most businesses and organisations. The DPA 2018 is UK law which is made up of four ‘data protection regimes’; the first two being most relevant to schools:

  1. Part 2, Chapter 2: The GDPR – this chapter supplements the GDPR so that it operates in a UK context
  2. Part 2, Chapter 3: Other General Processing – this chapter applies a UK version of the GDPR to areas outside the scope of EU law
  3. Part 3: Law Enforcement Processing – this part brings into UK law the EU Law Enforcement Directive.
  4. Part 4: Intelligence Services Processing – this part applies to the UK’s intelligence services

How will Brexit affect GDPR?

When the UK exits the EU, the EU GDPR will no longer be law in the UK. However, don’t despair, the work schools have been doing to comply with the GDPR, will continue to be relevant after Brexit, as the UK’s government will amend the DPA 2018 to ensure it implements the main provisions of the GDPR into our law. Schools should therefore not be concerned and should continue to comply with their existing data protection obligations.

Further information and guidance about data protection and Brexit are available on the Information Commissioner’s website at

The EU Withdrawal Act retains the GDPR in UK law.  Obligations and rights that schools and individuals have become familiar with, stay the same. 

To ensure the UK data protection framework continues to work effectively when the UK is no longer an EU member, the Government will make appropriate changes to the GDPR and Data Protection Act to preserve EU GDPR standards in UK domestic law.

The vast majority of changes for schools will involve removing references to EU procedures and institutions that will not be relevant to the UK when it is outside the EU.  They will be replaced with terms which make more sense, for example, general references to "GDPR" will read "Data Protection", "Union or Member State Law" will instead read as or be replaced with "domestic law" and references to "EU Commission" will be replaced with "UK Government" etc.

In a 'no deal' scenario, responsibilities of schools as data controllers will not change.  Individuals will continue to benefit from the same high levels of data protection as they do now and the same GDPR standards will continue to apply in the UK.  The ICO will remain the UK's independent regulator for data protection.

Schools will also need to refer to Brexit guidance from the DfE in relation to:

  • EU pupils and staff arriving after Brexit
  • School places for EU nationals and UK pupils returning to England from the EU after Brexit
  • Preparations as an employer (recognition of teaching qualifications)
  • Employing teachers with European qualifications
  • Checking for EEA teacher sanctions or restrictions
  • Travel to the  EU (ie school travel)
  • Food supplies
  • Medical supplies


Link to DfE Brexit advice for schools
Click here
Scroll to top