GDPR will apply to all those who process personal data from 25 May 2018 and will replace the current Data Protection Act. Under current data protection laws, the governing board, as the body with corporate responsibility for managing the school, has ultimate responsibility for matters relating to data protection. Governors and trustees should be aware of the coming changes and how to ensure that their school is compliant.