General Data Protection Regulation (GDPR)

The European General Data Protection Regulation (GDPR) law came into effect on 25 May 2018. The objective of this law is to ensure all personal data relating to living EU citizens (including the UK citizens) is protected and that those who are entrusted with such data are held accountable for its protection.

Following the UK’s departure from the EU (January 2020) the GDPR has been retained in UK law as the UK GDPR and will apply alongside the Data Protection Act 2018.


The City Learning Trust (CLT) and its member academies are committed to data privacy and protection and we have robust systems in place to ensure GDPR compliance. The GDPR principles are embedded in our data processing so that parents/carers, pupils/students, staff, governors/trustees, volunteers and visitors are assured that we handle their personal data respectfully, and in-line with the law. Our practice to ensure compliance is detailed below.

Data Protection Policy

The Trust’s Data Protection Policy is written in line with GDPR and it drives the highest standards of privacy and protection of personal data rights across the Trust. It includes our policy on data breaches and subject access requests.  The policy is reviewed bi-annually.

Record of Processing Activities

We keep a record of our processing activities to ensure all data held and processed is complaint with current regulations. We record:

  • The nature and purpose of processing.
  • Categories of data subjects.
  • Types of personal data held and processed.
  • The lawful basis for all our personal data processing.
  • The retention period for all data.
  • How data will be securely stored and disposed of.
  • Who we share data with.


Privacy notices for staff, pupils/students, parents/carers, volunteers and governors/trustees align with GDPR guidelines, are made available and reviewed annually.

Data Protection Impact Assessments, Contracts and Employees of the Trust

  • We will implement, when necessary, Data Protection Impact Assessments for projects that may involve high risk processing as covered under GDPR.
  • We add addendums to contracts with contractors to ensure all parties take account of their respective obligations and responsibilities under GDPR.
  • All staff are well informed of the legislation. GDPR awareness training is included in the Trust’s annual training cycle.
  • We have a Data Protection Officer.

Our Processes will Ensure That:

  • All procedures align with the individual’s rights as specified under GDPR.
  • Our Subject Access Request procedure, to manage requests for data, is in line with GDPR.
  • Any data breaches are handled and reported in line with GDPR.
  • Seeking, recording and managing consent is in line with GDPR.
  • Privacy Notices are in line with GDPR.

GDPR Audit Cycle

We conduct a thorough audit of our GDPR processes and procedures annually to ensure compliance with current regulations.

GDPR Roles and Responsibilities

Our Data Protection Officer and Executive Director – Estates and Risk have implemented, and maintain, a system that ensures the Trust meets its obligations under the GDPR. They are responsible for promoting awareness of the GDPR across the Trust, assessing compliance, identifying gap areas, including employee awareness and training and the updating of policies, privacy notices and procedures, including GDPR audits.

To contact the Data Protection Officer:

Telephone: 01782 853535

Email: [email protected]

Please visit our Policies page to view our policy documents.

At Trentham we live by our motto of 'Aspire, Endeavour and Achieve' – dream big, work hard and persevere to be successful."