Introduction
Most UK maktab administrators are aware that GDPR exists. Far fewer have thought carefully about what it actually requires of their school — and almost none have audited whether their current practices comply with it. The result is that hundreds of UK Islamic supplementary schools are processing children’s personal data every day in ways that create real legal exposure for the committee members and trustees responsible for the institution.
This is not a theoretical risk. The Information Commissioner’s Office (ICO) — the UK’s data protection regulator — has fined organisations of every size for GDPR violations, including charities and community organisations. The fact that a maktab is small, informal, or well-intentioned does not exempt it from UK data protection law.
This guide explains UK GDPR in plain English — what it is, what it requires of a maktab, the most common violations Islamic schools commit without realising it, and what practical steps bring a maktab into compliance. It is written for maktab administrators and mosque committee members, not lawyers.
What Is UK GDPR and Does It Apply to Maktabs?
UK GDPR (UK General Data Protection Regulation) is the data protection law that applies in the United Kingdom following the UK’s departure from the European Union. It is incorporated into UK law through the Data Protection Act 2018 and closely mirrors the EU GDPR framework.
UK GDPR applies to any organisation — regardless of size, charitable status, or sector — that:
- Processes personal data (collects, stores, uses, shares, or deletes information about identifiable individuals), AND
- Is established in the UK, OR
- Offers services to people in the UK
A maktab that holds a student register with children’s names, addresses, and Hifz progress is processing personal data. UK GDPR applies. Full stop.
There is no size threshold. A maktab with 15 students has the same GDPR obligations as one with 500 students, in terms of the principles that apply. The practical burden of compliance is proportionate to scale, but the legal obligations are not.
The Seven GDPR Principles — Plain English
UK GDPR is built around seven principles that all data processing must comply with. These are the core of the law — everything else flows from them.
| Principle | What It Means in Practice for a Maktab |
| 1. Lawfulness, fairness, transparency | You must have a legal reason to hold each type of data; parents must know what you hold and why |
| 2. Purpose limitation | Data collected for enrolment cannot be used for something else (e.g. marketing without consent) |
| 3. Data minimisation | Collect only what you actually need — a student’s shoe size is not relevant; their medical conditions are |
| 4. Accuracy | Keep records up to date — incorrect contact numbers or medical records are a GDPR problem |
| 5. Storage limitation | Don’t keep data longer than necessary — define and follow a retention period for student records |
| 6. Integrity and confidentiality | Hold data securely — encrypted where possible; access only by those who need it |
| 7. Accountability | Be able to demonstrate that you comply — document your decisions and policies |
What Data Does a Maktab Hold?
Before a maktab can comply with GDPR, it must know exactly what personal data it holds and where. Most maktabs hold more data than they realise — across multiple locations, some formal and some informal.
Complete maktab data inventory:
| Data Type | Where It Is Held | GDPR Category |
| Student full name | Register, enrolment form, Hifz records | Standard personal data |
| Date of birth | Enrolment form | Standard personal data |
| Home address | Enrolment form | Standard personal data |
| Parent/guardian name and phone | Enrolment form, WhatsApp contacts | Standard personal data |
| Parent email address | Communications list | Standard personal data |
| Medical conditions / allergies | Enrolment form | Special category data (health) |
| Hifz and Quran progress | Register, session notes, digital system | Standard personal data |
| Attendance records | Register, digital system | Standard personal data |
| Fee payment records | Fee book, digital system | Standard personal data (financial) |
| CCTV footage | Camera system | Standard personal data |
| Teacher contracts | HR file | Standard personal data |
| Teacher DBS records | HR file | Special category (criminal record data) |
| Photos and videos of students | Social media, school events | Standard personal data (image) |
Special category data — health information and criminal record data — requires an even higher level of protection than standard personal data. It must have explicit consent to hold and strict security measures applied.
Lawful Basis — Why You Are Allowed to Hold Data
Every type of data you hold must have a documented legal justification called a lawful basis. The six lawful bases in UK GDPR are:
| Lawful Basis | When It Applies to a Maktab |
| Consent | When a person freely agrees to you holding specific data for a specific purpose — e.g. newsletter subscription, photos on social media |
| Contract | When data is necessary to fulfil an agreement — e.g. parent contact details to provide the educational service they have paid for |
| Legal obligation | When a law requires you to hold the data — e.g. DBS records, financial records for tax purposes |
| Vital interests | Rarely used — only in life-threatening situations |
| Public task | Applies to public authorities, not maktabs |
| Legitimate interests | When the organisation has a genuine need that is balanced against the individual’s privacy rights — e.g. attendance records to safeguard students |
Most common lawful bases for maktab data:
- Student name, DOB, address, parent contact: Contract (needed to provide the educational service)
- Medical conditions: Vital interests or explicit consent (needed to protect the child)
- Hifz progress records: Legitimate interests (educational purpose; minimal privacy intrusion)
- Photos/videos: Consent (parents must explicitly agree; children over 13 must also agree separately)
- DBS records: Legal obligation
- Fee records: Legal obligation (financial record-keeping requirements)
The Privacy Notice — What Parents Must Be Told
Every maktab must provide parents with a Privacy Notice at the point of enrolment — before you collect any data. This notice must be:
- Written in plain, clear language (not legal jargon)
- Specific to your school’s actual data practices
- Given to parents — not just made available on request
What the Privacy Notice must include:
| Section | Content |
| Who you are | School name, address, and contact details |
| What data you collect | List the categories of data you hold |
| Why you hold it | The lawful basis for each category |
| How long you keep it | Specific retention periods (e.g. student records kept for 7 years after leaving) |
| Who you share it with | Any third parties (e.g. board examinations, local authority) |
| Their rights | What parents can request (access, correction, deletion, etc.) |
| How to complain | The right to complain to the ICO if they believe their data has been mishandled |
Privacy Notice template — essential paragraphs: code Codedownloadcontent_copyexpand_less
PRIVACY NOTICE — [MAKTAB NAME]
We collect and hold information about students and their parents/guardians
to provide our educational services. This notice explains how we use that
information.
WHAT WE COLLECT:
We collect: student names, dates of birth, home addresses, parent contact
details, medical information relevant to the child's care, Quran and Hifz
progress records, and attendance records.
WHY WE HOLD IT:
Student records are held to provide our educational services (legal basis:
contract). Medical information is held to protect your child's welfare
(legal basis: vital interests). Attendance is recorded for safeguarding
purposes (legal basis: legitimate interests).
HOW LONG WE KEEP IT:
Student records are retained for 7 years after a student leaves, then
securely destroyed. DBS records are destroyed 6 months after issue once
verified.
YOUR RIGHTS:
You have the right to request a copy of your data, correct inaccuracies,
or request deletion. Contact [admin contact] to exercise these rights.
TO COMPLAIN:
If you believe we have mishandled your data, you can complain to the ICO
at ico.org.uk.Data Security — Protecting What You Hold
UK GDPR requires that personal data is held securely — protected against loss, theft, and unauthorised access. For maktabs, this translates to specific practical requirements:
| Security Measure | What It Requires |
| Password protection | All digital records must be password-protected — no open spreadsheets on shared devices |
| Encryption | Sensitive data (medical records, special category data) should be encrypted at rest |
| Access control | Only people who need specific data should be able to access it — teachers should not see all students’ data if they only teach a group |
| Secure physical storage | Paper records in locked filing cabinets; not left out in communal areas |
| Device security | Devices used for school data should have screen locks and device encryption enabled |
| Secure disposal | Paper records must be shredded when retention period expires — not put in general recycling |
| Third-party processors | Any software you use that processes personal data (e.g. Ilmify) must have a Data Processing Agreement (DPA) |
WhatsApp and GDPR — The Specific Problem
WhatsApp group chats create specific, serious GDPR problems for UK maktabs. This is not a theoretical concern — it is the most common GDPR violation in the Islamic supplementary school sector.
The core problems with WhatsApp for school data:
| Problem | GDPR Issue |
| Class groups containing all parents | Each parent can see every other parent’s phone number — personal data of a third party shared without consent |
| Progress updates in the group | Mentioning a specific child’s name in a group where other parents can see it shares that child’s personal data without lawful basis |
| Teacher using personal phone | The school has no control over data stored on a personal device; data is not in a secure, institutional system |
| Messages cannot be audited | GDPR accountability principle requires that you can demonstrate how data is processed — WhatsApp history is not auditable |
| No retention controls | Messages accumulate indefinitely; no mechanism for applying retention periods |
| Meta/WhatsApp data policies | WhatsApp’s parent company Meta processes data for its own commercial purposes — consent for this was not obtained by the school |
The compliance-safe alternative:
- Use a dedicated parent portal (such as Ilmify) for individual child progress updates
- Individual parents access only their own child’s information
- Data is held in a compliant, auditable system with retention controls
- No personal data shared in group settings
Children’s Data — Extra Obligations
Children are given additional protection under UK GDPR because they are considered less able to fully understand and consent to data processing. Key additional obligations when processing children’s data:
Age of consent for data processing: Under UK law, children under 13 cannot consent to data processing. Consent must come from a parent or guardian for children under 13. For children aged 13–17, they can consent themselves, but the school should consider whether they truly understand what they are consenting to.
Best interests of the child: When making data processing decisions involving children, the child’s best interests must be the primary consideration — not the school’s convenience.
Photos and videos: Never post photos or videos of children on social media, the school website, or any public platform without explicit written consent from parents. This consent must be specific (naming the platform and purpose), freely given (no pressure to consent), and revocable. Keep records of all photo/video consents.
DBS checks are partly about protecting children’s data: A teacher or volunteer with access to children’s personal data (their records, their home address, medical information) is a person who should have been DBS checked — not only for direct safeguarding purposes but because access to children’s personal data requires a trusted individual.
Data Subject Rights — What Parents Can Ask For
Under UK GDPR, parents (and students over 13) have the following rights regarding data held about them or their child:
| Right | What It Means | Your Obligation |
| Right of access (SAR) | Request a copy of all data held | Provide within 1 month, free of charge |
| Right to rectification | Request correction of inaccurate data | Correct within 1 month |
| Right to erasure (“right to be forgotten”) | Request deletion of data | Must comply unless there is a legal reason to retain (e.g. financial records) |
| Right to restriction | Request that processing of their data is paused | Apply where relevant (e.g. data disputed) |
| Right to data portability | Request data in a machine-readable format | Applies to digital systems |
| Right to object | Object to processing based on legitimate interests | Must stop unless compelling legitimate grounds |
Responding to a Subject Access Request (SAR): When a parent emails asking for all data held about their child, you must respond within one calendar month with a complete copy of everything you hold. This is why having organised, searchable digital records is essential — a paper register buried in a cupboard makes responding to SARs almost impossible.
Data Breaches — What to Do If Things Go Wrong
A data breach is any security incident that results in the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of personal data.
Examples of data breaches relevant to UK maktabs:
- A student register is left on a minibus and stolen
- A teacher’s phone (which has parent numbers and WhatsApp messages) is lost
- An email containing a class list is sent to the wrong person
- The school’s database is accessed by an unauthorised person
- Paper enrolment forms are put in general recycling instead of shredded
What to do after a breach:
- Contain — stop the breach from worsening (change passwords, recall documents)
- Assess — what data was involved? How many people? What is the risk of harm?
- Report to the ICO — if the breach is high-risk (could cause significant harm), you must report to the ICO within 72 hours of becoming aware of it
- Notify individuals — if the breach is likely to result in high risk to the individuals affected, notify them directly
- Document — record all breaches, even minor ones, in a breach register
ICO Registration — Do You Need to Register?
Most UK organisations that process personal data must register with the ICO and pay an annual data protection fee (typically £40–£60 for small organisations). There are some exemptions — notably for small organisations processing data only for:
- Staff administration
- Advertising, marketing, and public relations
- Accounts and records
Maktabs that process student data for educational purposes are not covered by these exemptions and generally must register with the ICO. The fee is £40/year for most small organisations.
Registration is done online at ico.org.uk/registration. It takes approximately 30 minutes.
GDPR Compliance Action Plan for UK Maktabs
A practical 8-step action plan to bring a typical UK maktab into GDPR compliance: code Codedownloadcontent_copyexpand_less
GDPR COMPLIANCE CHECKLIST — UK MAKTAB
STEP 1: Data Audit (1 day)
[ ] List every type of personal data held
[ ] Identify where each type is stored (paper, digital, WhatsApp, etc.)
[ ] Identify who has access to each type
STEP 2: Lawful Basis (half day)
[ ] Document the lawful basis for each data type
[ ] Identify any data held without clear lawful basis — stop holding it
STEP 3: Privacy Notice (half day)
[ ] Write a Privacy Notice covering all data types
[ ] Have it reviewed by a trustee
[ ] Plan to give it to all current parents and all new enrolments
STEP 4: ICO Registration (30 min)
[ ] Register at ico.org.uk/registration
[ ] Pay annual fee (£40–£60)
STEP 5: Data Security (1 week)
[ ] Password-protect all digital records
[ ] Move paper records into locked storage
[ ] Ensure devices with school data have screen locks enabled
[ ] Obtain Data Processing Agreements from all software providers
STEP 6: WhatsApp Migration (2–4 weeks)
[ ] Identify what should move from WhatsApp to a parent portal
[ ] Set up Ilmify (or equivalent) with student records
[ ] Communicate the change to parents
STEP 7: Retention Policy (half day)
[ ] Define how long each type of data is retained
[ ] Document the policy
[ ] Plan first review of old records against retention periods
STEP 8: Breach Procedure (half day)
[ ] Write a one-page breach response procedure
[ ] Share with all trustees and teachers
[ ] Set up a breach log👉 GDPR compliance for UK maktabs starts with moving from WhatsApp to a secure, individual parent portal.Ilmify gives UK Islamic schools GDPR-aware student management with individual access controls.Explore Ilmify → ilmify.app
Conclusion
GDPR is not a bureaucratic obstacle to running a good maktab — it is a framework for treating the families who trust you with their children’s information with the dignity and care they deserve. A maktab that collects only what it needs, holds it securely, tells parents what it holds and why, and gives parents control over their own data is a maktab that has earned its community’s trust. The compliance steps above are achievable for any UK maktab — and the risk of not taking them is real.
👉 Make GDPR compliance simple with a management system designed for UK Islamic schools. Explore Ilmify → ilmify.app
Related Articles:
- 🇬🇧 How to Run a Maktab in the UK in 2026: The Complete Operational Guide
- 🛡️ Safeguarding Requirements for UK Islamic Schools: A Practical Guide
- 📱 WhatsApp vs School Management Software: When to Upgrade Your Maktab
- 💻 How to Transition a Maktab from Paper to Digital: A 5-Step Migration Guide
- 💡 Best Maktab Management Software for UK Islamic Schools 2026
at 