Introduction
The majority of UK maktab administrators are unaware of their GDPR obligations. This is not a criticism — GDPR is complex, the guidance for small charitable organisations is scattered, and most maktabs are run by volunteers whose expertise is Islamic education, not data protection law.
But unawareness is not a defence. Any UK maktab that holds names, dates of birth, guardian contacts, or medical information about children is processing personal data under UK GDPR and the Data Protection Act 2018. The Information Commissioner’s Office (ICO) has the authority to investigate any organisation, and has issued enforcement notices to small charities and community organisations.
This guide explains what UK GDPR requires of maktabs in plain English — what data you hold, what obligations that creates, what you need to have in place, and how a proper management system makes compliance significantly easier.
Important note: This guide provides general information for educational purposes. It is not legal advice. For advice specific to your institution’s circumstances, consult a qualified data protection professional or use the ICO’s free resources at ico.org.uk.
Does GDPR Apply to My Maktab?
Yes — if your maktab holds any personal data about identifiable individuals. Personal data means any information that can identify a person: a name, an address, a phone number, an email address, a date of birth, a student ID number, or a photograph.
The UK GDPR (which retained EU GDPR after Brexit, incorporated into UK law via the Data Protection Act 2018) applies to all organisations that process personal data in the UK — including:
- Registered charities
- Unregistered charitable organisations
- Mosque committees
- Voluntary organisations
- Community groups
There is no size threshold. A three-teacher maktab with 40 students is subject to UK GDPR in exactly the same way as a large institution.
The only relevant question is whether you process personal data about identifiable individuals. Every maktab does. Therefore UK GDPR applies to every maktab.
| Organisation Type | UK GDPR Applies? |
| Registered charity maktab | ✅ Yes |
| Mosque-run maktab (unregistered charity) | ✅ Yes |
| Voluntary-run weekend maktab | ✅ Yes |
| Maktab using third-party software | ✅ Yes (both the maktab and the software provider have obligations) |
| Online Islamic school | ✅ Yes |
| Private Islamic school (independent) | ✅ Yes |
Source: ICO guidance on organisations subject to UK GDPR; Ilmify compliance research, 2026
What Personal Data Do Maktabs Typically Hold?
Most maktab administrators do not have a clear picture of all the personal data their institution holds. This is itself a GDPR compliance gap — one of the core requirements is knowing what data you hold, where it is stored, and why you hold it.
The audit below covers the typical data held by a UK maktab. Use it to map your own institution’s data holdings.
| Data Category | Typical Storage Location | Personal Data? | Special Category? |
| Student full name | Register, spreadsheet, app | ✅ Yes | ❌ No |
| Student date of birth | Register, spreadsheet, app | ✅ Yes | ❌ No |
| Student home address | Register, form, spreadsheet | ✅ Yes | ❌ No |
| Guardian name(s) | Register, form, app | ✅ Yes | ❌ No |
| Guardian phone number | WhatsApp, register, app | ✅ Yes | ❌ No |
| Guardian email address | WhatsApp, email, app | ✅ Yes | ❌ No |
| Student photograph | Register, display board, app | ✅ Yes | ❌ No |
| Medical information | Paper form, register | ✅ Yes | ✅ Yes — health data |
| Religious affiliation / denomination | Register, board affiliation records | ✅ Yes | ✅ Yes — religious belief |
| Attendance records | Register, app | ✅ Yes | ❌ No |
| Hifz / academic progress | Register, app | ✅ Yes | ❌ No |
| Fee payment records | Cash register, spreadsheet | ✅ Yes | ❌ No |
| Special educational needs | Paper notes, verbal | ✅ Yes | ✅ Yes — health/disability |
Source: Ilmify UK maktab GDPR compliance research, 2026
Any data in the “Special Category” column requires additional protections under UK GDPR — a higher level of justification for processing, explicit consent in most cases, and stronger security measures.
The Six GDPR Principles Every Maktab Must Know
UK GDPR is built on six data protection principles. Every data processing activity in your maktab must comply with all six. They are not optional guidelines — they are legal requirements.
Principle 1 — Lawfulness, Fairness, and Transparency
You must have a lawful reason for processing personal data (see the next section). You must be transparent with individuals about what data you hold and why. Parents and students must be able to find out what you hold about them.
Principle 2 — Purpose Limitation
You may only use personal data for the specific purpose for which you collected it. You collected a guardian’s phone number to communicate about their child’s maktab attendance — you may not use it to send general mosque fundraising messages without separate permission.
Principle 3 — Data Minimisation
Collect only the data you actually need. If you do not need a student’s home address for your maktab’s operations, do not collect it. Do not collect data “just in case.”
Principle 4 — Accuracy
Keep personal data accurate and up to date. If a guardian changes their phone number, update your records. Outdated data is a compliance issue.
Principle 5 — Storage Limitation
Do not keep personal data longer than necessary. When a student leaves the maktab, their personal data should be retained only as long as there is a legitimate reason — then deleted. A paper register containing the records of students who left the maktab five years ago is a storage limitation violation.
Principle 6 — Integrity and Confidentiality (Security)
Protect personal data with appropriate security measures. A paper register left on a desk where any visitor can read it is a security failure. A shared WhatsApp group containing students’ contact details is a security issue. Personal data must be protected from unauthorised access.
| Principle | Common Maktab Violation | Compliant Practice |
| Lawfulness | No privacy notice given to parents | Provide a clear privacy notice at enrolment |
| Purpose limitation | Using parent contacts for unrelated mosque communications | Keep maktab data use separate from mosque general communications |
| Data minimisation | Collecting data that is not needed for maktab operations | Review forms and remove unnecessary fields |
| Accuracy | Outdated guardian contact details | Annual data verification process |
| Storage limitation | Indefinite retention of departed student records | Clear retention and deletion policy |
| Security | Paper register accessible to anyone | Locked storage; password-protected digital records |
Source: ICO guidance for small organisations; Ilmify GDPR compliance research, 2026
Your Lawful Basis for Processing Student Data
Under UK GDPR, you must have one of six lawful bases to process personal data. For maktabs, the most applicable bases are:
Legitimate Interests: The most practical basis for most maktab data processing. Processing is necessary for the legitimate interests of the maktab (running an Islamic educational programme) and those interests are not overridden by the individual’s rights. This covers: attendance records, Hifz progress records, fee records, general contact information for educational communication.
Contractual Necessity: Processing is necessary to fulfil a contract (or pre-contract steps) with the individual. Enrolment creates an implicit contract — processing the student’s basic information is necessary to deliver the education service.
Legal Obligation: Processing is required by law. Safeguarding records may fall into this category.
Explicit Consent: Required for special category data (health, religion, SEN) and for certain uses like photography. Consent must be freely given, specific, informed, and unambiguous. Consent obtained through a buried clause in an enrolment form is not valid consent under GDPR.
Critical point for maktabs: You must document your lawful basis for each category of processing. “We have always done it this way” is not a lawful basis.
Special Category Data: What It Is and Why It Matters for Maktabs
Special category data is a class of personal data that requires extra protection because of its particularly sensitive nature. UK GDPR identifies ten categories — three of which are directly relevant to maktabs:
Religious or philosophical beliefs: Recording a student’s religious denomination (Deobandi, Barelvi, Ahl-i-Hadith, etc.) or theological affiliation is special category data. Even recording “Muslim” against a student’s name is technically processing religious belief data.
Health data: Any medical information — allergies, conditions, medications, special educational needs with a health component — is special category health data.
Disability: Special Educational Needs (SEN) records that relate to physical or mental disability are special category data.
What this means for maktabs:
- Special category data requires explicit consent or one of a limited number of other justifications (such as vital interests or legitimate activities of a not-for-profit body)
- It must be stored with enhanced security
- It must be mentioned specifically in your privacy notice
- Breaches involving special category data are treated more seriously by the ICO
Practical implication: The medical forms most maktabs collect at enrolment are special category data. They need explicit consent, secure storage, and a clear retention policy.
What Records You Must Keep
Under UK GDPR, organisations are required to keep records of their processing activities. This is called a Record of Processing Activities (ROPA). While the formal ROPA requirement applies formally to organisations with 250+ employees, the ICO recommends that all organisations maintain one as good practice — and for maktabs, having one significantly reduces the risk of an enforcement action.
A ROPA for a maktab covers:
| Element | What to Record |
| Categories of data subjects | Students, guardians, teachers |
| Categories of personal data | Name, DOB, contact details, health, attendance, progress |
| Purposes of processing | Deliver Islamic education, manage attendance, communicate with parents |
| Lawful basis for processing | Legitimate interests, contractual necessity, explicit consent |
| Who data is shared with | Board affiliates, emergency contacts, management committee |
| Where data is stored | Named systems (paper register, spreadsheet, management app) |
| Retention period | How long each category is kept after a student leaves |
| Security measures | Password protection, locked storage, access restrictions |
You should also have:
- A Privacy Notice given to all parents at enrolment, explaining what data you hold and why
- A Data Retention Policy specifying how long different data categories are kept
- A Breach Response Procedure specifying what to do if data is lost, stolen, or accessed without authorisation
Data Subject Rights: What Parents and Students Can Request
UK GDPR gives individuals rights over their personal data. For maktabs, the most commonly exercised rights will come from parents:
Right of Access (Subject Access Request — SAR): Any individual (or parent on behalf of a child under 13) can request a copy of all personal data held about them. You must respond within one month. You cannot charge a fee. Responding from paper records is time-consuming and error-prone; a management system makes it much simpler.
Right to Rectification: An individual can ask you to correct inaccurate data. You must respond within one month.
Right to Erasure (“Right to be Forgotten”): In certain circumstances, an individual can ask you to delete their personal data. This is not absolute — you can retain data where you have a legitimate ongoing reason — but it requires a considered response, not silence.
Right to Object: Individuals can object to processing based on legitimate interests. You must stop processing unless you can demonstrate compelling legitimate grounds.
For maktabs, the most important practical step: Have a written process for responding to SARs before you receive one. The time limit is strict (one month), and responding from a disorganised paper-based system within that window is extremely difficult.
Data Breaches: What to Do If Things Go Wrong
A data breach is any event that leads to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of personal data. For maktabs, common breach scenarios include:
- Paper register lost or stolen
- A guardian’s contact list shared with the wrong WhatsApp group
- A spreadsheet containing student data accidentally sent to the wrong email address
- A laptop containing student records stolen or lost
- An unauthorised person accessing the management system
What UK GDPR requires when a breach occurs:
- Assess the risk — How serious is the potential harm to individuals? A paper register found by a member of the public and returned is lower risk. Student health data sent to a group of unrelated adults is high risk.
- Report to the ICO within 72 hours — If the breach is likely to result in a risk to individuals’ rights and freedoms, you must report to the ICO within 72 hours of becoming aware. This is a strict deadline — 72 hours, not 72 business hours.
- Notify affected individuals if high risk — If the breach is likely to result in high risk to individuals, you must notify them directly without undue delay.
- Document the breach — All breaches must be documented, regardless of whether they are reported to the ICO.
Most common maktab breach response failure: Discovering a breach and doing nothing, assuming it is too small to matter. The ICO’s enforcement pattern shows that the failure to report a reportable breach — even for a small organisation — can result in more serious consequences than the breach itself.
| Breach Type | Likely Risk Level | Report to ICO? |
| Paper register lost and not recovered | High | Yes — within 72 hrs |
| Student data accidentally sent to wrong parent | Medium | Assess — likely yes |
| WhatsApp group includes unauthorised person | Medium | Assess based on data shared |
| Management system accessed without authorisation | High | Yes — within 72 hrs |
| Paper register lost but immediately recovered with no access | Low | Document; likely no |
Source: ICO breach reporting guidance; Ilmify compliance research, 2026
Choosing a GDPR-Compliant Management System
Using a third-party management system for student data makes your maktab a data controller and the software provider a data processor. Under UK GDPR, you must have a written Data Processing Agreement (DPA) with any data processor — this is a legal requirement, not optional.
When evaluating any management system, ask:
- Are you registered as a data processor with the ICO?
- Where is data stored? (Must be UK, EU, or an adequacy country)
- Can you provide a Data Processing Agreement?
- How do you support Subject Access Requests?
- What is your data breach notification process?
- How is data deleted when we close our account?
- Who at your organisation has access to our data?
Red flags that indicate a non-compliant provider:
- Cannot produce a DPA or says one is not necessary
- Cannot clearly state where data is stored
- Has no clear data breach notification process
- Keeps data indefinitely or has no account closure/deletion process
Ilmify’s GDPR position: Ilmify stores data in compliant jurisdictions, provides a full Data Processing Agreement for UK institutions, supports Subject Access Request responses, and has a clear data deletion process for account closure. Full GDPR documentation is available on request.
Your GDPR Compliance Action Plan
The following action plan covers the most important steps for a UK maktab to reach a reasonable level of GDPR compliance. This is not exhaustive — consult the ICO’s free small business/charity guidance (ico.org.uk) for further detail.
| Action | Priority | Timeline |
| Audit all personal data you hold (use the table in Section 2) | 🔴 High | This month |
| Write a Privacy Notice for parents (ICO template available) | 🔴 High | This month |
| Establish lawful basis for each category of data processing | 🔴 High | This month |
| Create a basic Record of Processing Activities (ROPA) | 🔴 High | Next 4 weeks |
| Obtain explicit consent for special category data (health, religion) | 🔴 High | At next enrolment |
| Write a Data Retention Policy | 🟠 Medium | Next 6 weeks |
| Write a Breach Response Procedure | 🟠 Medium | Next 6 weeks |
| Check your management system provider’s GDPR documentation | 🟠 Medium | Before next renewal |
| Sign a Data Processing Agreement with your software provider | 🟠 Medium | Immediately if using cloud software |
| Register with ICO (free for most small organisations) | 🟡 Recommended | Within 3 months |
| Annual data review — update/delete outdated records | 🟡 Ongoing | Annually |
Source: ICO small charity guidance; Ilmify GDPR compliance framework for UK maktabs, 2026
Conclusion
GDPR compliance for UK maktabs is not as complex as it can appear. The most important steps — knowing what data you hold, having a lawful basis for holding it, giving parents a privacy notice, and ensuring your software provider has a Data Processing Agreement — are achievable for any institution regardless of size.
The institutions most at risk are not those that have tried and fallen short of perfect compliance. They are the institutions that have done nothing because the subject felt overwhelming or irrelevant. In 2026, with children’s personal data increasingly managed digitally, and with the ICO actively investigating charitable organisations, doing nothing is no longer a viable position.
Start with the action plan above. The ICO’s free guidance for small charities (ico.org.uk/for-organisations/advice-for-small-organisations/) is clear and accessible. And if you are evaluating management software, make GDPR documentation one of your first questions — the answer tells you a great deal about the provider.
👉 Ilmify Is Built for UK GDPR Compliance — Request Full Documentation →
Related Articles
You might also find these helpful:
- ⚙️ Ilmify vs. IBEAMS: Which Platform Serves UK Maktabs Better in 2026?
- 📚 How to Run a Maktab in the UK in 2026: The Complete Guide
- 💰 The Real Cost of Managing Your Maktab on Paper in 2026
- ✅ How to Choose Islamic School Management Software: The Complete Buyer’s Guide
- ⚙️ Best Madrasa Management Software in 2026: The Complete Comparison Guide
- 📋 UK Supplementary School Management: Your Complete 2026 Guide
- 📚 10 Signs Your Maktab Has Outgrown WhatsApp and Spreadsheets
- 📚 Moving from WhatsApp to a Real School Management System: A Step-by-Step Guide
