UK EdTech GDPR Compliance in 2026: What Schools and MATs Need to Know




classroom technology
Photo by RDNE Stock project on Pexels

The United Kingdom’s data protection landscape has matured significantly since the original GDPR came into force in 2018. For schools, multi-academy trusts (MATs), and the EdTech providers that serve them, 2026 marks a year of important legal changes. The Data (Use and Access) Act 2025 (DUAA) officially became law in June 2025, with a phased enforcement model under which different provisions take effect at different times. On 5 February 2026, many more came into force, making key changes to the UK General Data Protection Regulation (the UK GDPR) and the Data Protection Act 2018. And from 19 June 2026, additional obligations around privacy notices and complaint handling begin.

This article outlines what those changes mean for UK educational institutions and the AI-powered EdTech platforms they rely on. Whether you are a school data protection officer, a MAT board member, or an EdTech supplier, understanding and acting on these updates is essential for staying compliant.

The 2026 Updates to UK Data Protection Law

The DUAA introduced a phased enforcement model. The most significant milestone for schools and EdTech platforms so far was 5 February 2026, when several new data protection provisions came into force. Organisations should ensure that they are still compliant with these changes. The next key date is 19 June 2026. From that date, organisations subject to the UK GDPR will need to update their privacy notices and introduce formal data protection complaint handling procedures.

These changes build on the existing UK GDPR framework, which is the primary law regulating personal data processing in the UK. The UK GDPR differs from the EU GDPR in several respects, and it works alongside the Data Protection Act 2018. Schools already have specific guidance from the Information Commissioner’s Office (ICO) on how to comply and document compliance with UK GDPR and the Data Protection Act 2018, which was published in February 2023.

What This Means for Schools and Multi-Academy Trusts

For many multi-academy trusts, compliance activity is happening in multiple places at once, creating board-level risk from fragmented compliance. It is important that schools and MATs assess EdTech supplier compliance (existing or new) properly to ensure you are able to meet UK GDPR requirements. With AI-powered learning management systems and course creation tools becoming more common, the data processing landscape is more complex than ever.

The ICO provides a practical, jargon-free overview of what UK GDPR compliance means for SMEs in 2026, covering key principles and best practice. Schools can adapt this guidance to their specific context. Your school should be mindful at all times of the ability to demonstrate compliance with the requirements of the UK GDPR. This includes having clear records of processing activities, data protection impact assessments (DPIAs) for new technologies, and contracts with data processors.

Supplier Compliance Assessment

When an EdTech platform processes personal data on behalf of a school, that platform is a data processor. Under UK GDPR, the school remains the data controller and is responsible for ensuring the processor provides sufficient guarantees. This means you must review the processor’s compliance documentation, including its privacy notice, data retention policies, and data breach response procedures. The 2026 updates add new layers: from 19 June, platforms must also have a formal complaint handling process. Check that your existing contracts are updated to reflect these obligations.

Fragmented Compliance in MATs

Large organisations often see compliance efforts spread across individual academies, central teams, and different software providers. This fragmented approach can create board-level risk because it is difficult to maintain a single, auditable picture of data protection across the trust. Centralising supplier due diligence and standardising data protection impact assessments can help reduce that risk. For MATs, ensuring every academy uses the same compliant EdTech tools and follows the same data protection policies is a sensible step toward 2026 readiness.

data protection signs
Photo by Miguel Á. Padriñán on Pexels

Key Compliance Steps for AI EdTech Platforms and Suppliers

EdTech providers serving UK schools and MATs must align with the updated legal framework. Here are the critical actions to take before the next deadlines.

Update Privacy Notices

From 19 June 2026, organisations subject to the UK GDPR will need to update their privacy notices. These notices must clearly explain how personal data is collected, used, stored, and shared, especially when AI features are involved. For example, if your platform uses AI to generate course content based on learner data, you must disclose that processing and its legal basis. Schools rely on these notices to inform parents and students, so accuracy and clarity are vital.

Introduce Formal Data Protection Complaint Handling

Another requirement taking effect on 19 June 2026 is the introduction of formal data protection complaint handling procedures. This means every EdTech platform must have a documented process for receiving, investigating, and responding to complaints from data subjects. Schools will expect to see evidence of this procedure during supplier due diligence. It also aligns with the ICO’s broader guidance on accountability and governance.

Document Compliance with UK GDPR and DPA 2018

The ICO’s guidance for schools emphasises the need to document compliance. AI EdTech platforms should maintain records of processing activities, data protection impact assessments for any new AI features, and contracts with sub-processors. The DUAA’s changes do not remove the need for thorough documentation; they add new specifics around privacy notices and complaints. Keeping these documents up to date helps both the platform and its school clients demonstrate compliance.

school equipment
Photo by Atlantic Ambience on Pexels

How to Vet an AI EdTech Platform for GDPR Compliance

Schools and MATs should adopt a structured approach when evaluating EdTech suppliers. Consider the following checklist based on the 2026 legal landscape.

Area to Assess What to Look For
Privacy notice Does it explain AI-specific processing? Updated for 2026 requirements?
Complaint handling Is a formal procedure in place? How are complaints logged and resolved?
Data processing agreement Does it meet Article 28 UK GDPR standards? Include sub-processor list?
Data protection impact assessment Has a DPIA been conducted for the AI features? Can you review it?
Data retention and deletion What happens to learner data when the contract ends? Is deletion auditable?
Breach notification process How quickly will the platform notify the school of a personal data breach?
Staff training Do the platform’s staff receive regular data protection training?

Using a checklist like this helps ensure you can meet your own UK GDPR obligations as a data controller. It also signals to suppliers that you take compliance seriously, which often leads to better engagement and transparency.

Practical Steps for Educators and Trust Leaders

Beyond vetting suppliers, schools and MATs should review their internal data protection practices. The ICO’s guidance on data protection in schools – covering how to comply and document compliance – remains a foundational resource. Non-operational dates for academic year 2026/27 may also affect when you conduct reviews or training. Your school should be mindful at all times of the ability to demonstrate compliance with the requirements of the UK GDPR.

For MATs, consolidating compliance efforts can reduce board-level risk. Consider appointing a single data protection lead who oversees all supplier contracts and standardises privacy impact assessments across academies. This approach mirrors the intent of the DUAA’s phased enforcement, which encourages organisations to build consistent, auditable data protection practices.

The research provisions in the UK GDPR and the DPA 2018, along with the principles and grounds for processing, research exemptions, and safeguards, may also apply if your school conducts educational research using student data. The ICO offers dedicated guidance for this area.

edtech gdpr compliance
Photo by Markus Winkler on Pexels

Frequently Asked Questions

What is the Data (Use and Access) Act 2025 and how does it affect schools?

The Data (Use and Access) Act 2025 became law in June 2025 with a phased enforcement model. Key provisions came into force on 5 February 2026 and additional obligations around privacy notices and formal complaint handling begin on 19 June 2026. Schools and MATs must update their policies and contracts to remain compliant with the UK GDPR under these changes.

Do EdTech platforms need to update their privacy notices for 2026?

Yes. From 19 June 2026, organisations subject to the UK GDPR need to update their privacy notices. For AI EdTech platforms, this means clearly explaining how personal data is used in AI features, the legal basis for that processing, and how data subjects can exercise their rights. Schools should request updated notices during supplier due diligence.

How can a MAT ensure consistent GDPR compliance across multiple academies?

Centralising compliance activity – such as supplier due diligence, data protection impact assessments, and contract management – helps reduce the board-level risk of fragmented compliance. Appointing a dedicated data protection lead or working with a single compliant EdTech platform across all academies can simplify oversight and demonstrate accountability to the ICO.

What should a school look for when vetting an AI EdTech supplier in 2026?

Key areas include an updated privacy notice, a formal complaint handling procedure, a data processing agreement compliant with Article 28 UK GDPR, a data protection impact assessment for AI features, clear data retention and deletion policies, and a robust breach notification process. Ensure the supplier can demonstrate compliance with the DUAA’s 2026 provisions.

Staying compliant with UK GDPR in 2026 does not have to be overwhelming. By understanding the new legal requirements, assessing your EdTech suppliers thoroughly, and documenting your processes, your school or trust can continue to benefit from AI-driven educational tools while protecting the personal data of students and staff.

Try The Discourse AI to turn these insights into practical outcomes for your learners and team.


Posted

in

by

Tags: