Apprenticeships.scot logo

GDPR for learning providers

Read Skills Development Scotland's policy on General Data Protection Regulation (GDPR) for apprenticeship learning providers.

What is the UK GDPR?

The UK General Data Protection Regulation (UK GDPR) is the UK’s post-Brexit version of the EU GDPR and continues to set the standards for how personal data must be collected, used, stored, and protected.

Although the UK is no longer part of the EU, the core principles and protections originally established under the EU GDPR still apply through the UK GDPR. These rules strengthen individuals’ rights and give people greater control over which organisations can access their data, how it is used, and how they are contacted.

How does this affect learning providers?

Any organisation that collects personal data must comply with the seven core data protection principles set out in the UK GDPR. These principles cover areas such as how personal data is stored, who can access it, and the purposes for which it is used.

Skills Development Scotland (SDS) must ensure that any personal information collected for our business is fully compliant with these principles and our wider obligations under the UK GDPR.

Learning providers delivering services on behalf of SDS must also ensure their data collection practices are UK GDPR-compliant. This includes making sure participants understand what information is being collected, why it is collected, how it will be used, and what their rights are. This must be communicated through a clear and accessible privacy notice.

SDS also has an obligation to ensure any data collected about individuals is kept secure and disposed of appropriately, in line with an approved retention schedule. Personal data must not be retained for longer than necessary.

What are the consequences of failing to comply with the UK GDPR?

All UK organisations must comply with the UK GDPR. Any organisation found to be in breach of the regulation can face significant enforcement action, including fines in line with the legislation.

Responsibilities under the UK GDPR are shared between those collecting the data (learning providers) and those handling it (SDS). SDS, as the data controller, has a duty to monitor compliance.

Want to know more about the UK GDPR?

Use these links to access up-to-date information on UK GDPR requirements, the seven data protection principles, and individuals’ rights, on the Information Commissioner’s Office (ICO) website:

If you have any questions, you can also contact your SDS Contract Manager.