Join Log in / Register
Join Log in / Register

What is GDPR and why do PTAs have to care about it?

PTAs
14 January 2026
Image: Three women gathered around a table with laptops, talking.
The General Data Protection Regulation (GDPR) makes sure organisations – like your PTA – use people’s personal data carefully to protect their security and privacy. It can seem like a daunting subject, but we’ve put together our top tips to help you get to grips with it.

Up close and personal (data)

GDPR protects personal data, so you need to know exactly what this entails. Basically, it’s anything that can be used to identify someone, such as: 

  • Names
  • Email addresses
  • Home addresses
  • Phone numbers
  • Photographs, images and videos 
  • Medical history
  • Dietary requirements
  • Age, and more 

Don’t be a hoarder 

The number one rule of GDPR is don’t collect information you don’t need. Always consider what you’re going to use it for. For example, if you’re only planning on emailing parents, you don’t need to have their home address too. This isn’t just about good housekeeping – if someone steals information you’ve stored but didn’t have a need for, the blame will not only fall on the criminal who stole it, but your PTA as well. So remember – just what you need, nothing more. 

Assign a go-to GDPR guru 

GDPR is everyone’s responsibility, but we recommend assigning one member of your committee to lead on it. They shouldn’t be expected to remember absolutely everything by heart, but they should know the basics including best practice, how GDPR affects your PTA and, if necessary, where to find more information. 

Top tip!

Check out the GDPR guide for more in-depth information for your GDPR guru.

Learn more

Safety first

Storing information digitally? Help keep it safe by: 

  • Setting a strong password to protect the device it’s stored on 
  • Setting a strong password to protect files and folders containing PTA information 
  • Changing passwords often, and always after a committee member steps down 
  • Keeping antivirus software up to date 
  • Only sending information through secure file sharing systems, like WeTransfer and Dropbox, rather than email 

If you store information physically, it should be under literal lock and key and put through a shredder when no longer needed. 

Top tip!

Never leave information, such as a list of volunteer names at an event, unattended for people to find.

Sharing is caring

If your school agrees to share parents’ information with your PTA, the school is responsible for asking the parents’ permission before passing it on. You’ll then have one month to tell the parents how you’ll use their personal information. The school should also have consent to share information about your PTA with parents (but this only applies to digital content, not letters). It’s good practice to have a written agreement with the school detailing what will be shared called an information sharing agreement’. 

Communication is key

If you need to get consent directly from parents to use their information, be clear about what you’re asking for. Getting this in writing is important: it gives you a record in case you need to prove you have their information for a legitimate reason. You also need to provide information on what you’re going to do with their data. This is your privacy statement’. The same rules apply to pupils, except that the person with parental responsibility has to give consent for a child. 

Top tip!

The ICO are the government department responsible for GDPR.

Seek and destroy 

When you collect personal information, you’ll need to know what it’s being used for, so you’ll know when to destroy it. Your PTA will need to implement a policy on how long you’ll keep personal information and when you’ll review it to keep everything accurate and up to date. You can share a Personal Data Audit with relevant members of your committee to ensure everyone is on the same page. 

Risky business

For serious breaches of GDPR, you could be given a hefty fine. But the rules are clear and easy to follow – just remember to stay organised and read our GDPR guide on our website for all the information you need. 

We can turn GDParrrgh?’ into GDPahhhh, I see!’ 

If you’ve got any GDPR questions, call our PTA Community Advisers for one-to-one support on 0300 123 5460 or by emailing [email protected]. They’re here to help you Monday to Friday, 9am to 5pm. You can also book a Zoom appointment.

Related entries

Our use of cookies

Like most websites, this website would like to set some non-essential cookies.

Read our cookie policy.

Accept all cookies
Reject additional cookies