GDPR will apply to all those who process personal data from 25 May 2018 and will replace the current Data Protection Act. Under current data protection laws, the governing board, as the body with corporate responsibility for managing the school, has ultimate responsibility for matters relating to data protection. Governors and trustees should be aware of the coming changes and how to ensure that their school is compliant.
Here is a short video by Iain Bradley from the DfE explaining how you can review and improve your handling of personal data. For a more in depth view have a look at this video from Browne Jacobson "How to implement GDPR in your school".