The EU General Data Protection Regulation will unify data protection and ease the flow of personal data across the EU when it comes into force in May 2018, superseding national data protection laws like the UK’s Data Protection Act 1998 (DPA), and will apply to every organisation in the world that does business with EU residents.
Data Protection Act 1998 - Schools must register all personal data and state the purpose for which it is required. All data held must be relevant, adequate and not held for longer than it is required. Where personal data is out of date or no longer required, it must be destroyed. Cross reference with schools as organisation unit. Criteria 4.2