GDPR for UK tutoring agencies: what actually needs doing

Tutoring agencies process personal data on children. That alone puts you in the higher-risk GDPR bracket. Most UK agencies are operationally non-compliant, don't realise it, and would get a nasty surprise if a parent complained. Here's the practical checklist.

This is general guidance from someone who runs an agency, not legal advice. If you're processing thousands of student records, get a proper DPO consult.

1. Register with the ICO

£40-£60/year depending on agency size. Takes 10 minutes online at ico.org.uk. Mandatory if you process personal data and aren't exempt (you aren't — “parent name, child name, school” is enough to be in scope).

2. Have a published Privacy Policy

On the agency website. Must cover:

• What personal data you collect (parent name, email, phone, child name + age, school, lesson notes, payment details).
• What you use it for (delivering tutoring, billing, communication).
• Lawful basis under Article 6 (contract for service delivery; legitimate interest for safeguarding).
• Who you share it with (your tutors, Stripe, Resend, Twilio, your hosting provider).
• How long you keep it (we recommend 6 years post-engagement for invoicing reasons, 1 year for lesson notes).
• Parent / data-subject rights (access, deletion, portability, objection).
• A real email address to contact for data requests.

3. Data Processing Agreement with every tutor

Your tutors are data processors on your behalf — they see parent and student personal data to do their job. Each tutor contract should include a short DPA clause covering:

• What data they're entitled to see (only their own students).
• What they can't do (store on personal devices unencrypted, share with third parties, retain after leaving).
• What happens at termination (delete or return all student data within 30 days).
• Breach reporting obligation (notify you within 24 hours of any incident).

4. Subject Access Request (SAR) process

A parent has the legal right to ask for everything you hold on them or their child. You have one month to respond. Have a written process for:

• Receiving the request (one inbox, one named person responsible).
• Verifying the requester is who they claim (parental authority + ID check).
• Compiling the data (their messages with you, lesson notes, invoices, audit logs).
• Delivering it (machine-readable format, secure transmission).

Practically: your platform should let you export a parent's full record in one click. Smash Your Tutoring has this in the Admin → Parent → Danger Zone → GDPR Export flow.

5. Right to deletion (Right to be Forgotten)

Different from SAR. Parent asks you to delete their data. You can refuse if you have a legitimate basis to keep it (e.g. HMRC invoice retention requirements — you legally must keep invoice data 6 years). But you must respond and explain.

Standard practice: delete personal identifiers from messages / lesson notes / parent record after the legal retention period for invoices. Keep the financial record only.

6. Where the data lives

Most tutoring agencies use US-hosted SaaS (Google Workspace, Notion, Stripe, etc.). Each is fine under UK GDPR as long as the provider has the EU-US Data Privacy Framework certification, which the major SaaS providers do. Document which providers you use in your privacy policy.

Specifically for tutoring agencies, the providers worth listing:

• Stripe (payments)
• Resend / SendGrid / Mailgun (email)
• Twilio (SMS / WhatsApp)
• Your platform vendor (this is us, if you use Smash Your Tutoring)
• Your CRM if separate
• Your hosting / cloud provider

7. Children + safeguarding interaction

Under-13s: parental consent is required for any data collection. Most platforms (us included) treat parents as the data subject and the child as a related party, which keeps you on the right side of this.

Lesson recordings deserve a special note. If you record online lessons (Zoom / Google Meet / your platform), explicit parental consent is needed AND you should auto-delete recordings on a schedule (we keep ours 14 days unless flagged).

The minimum-viable compliance pack

1. ICO registration current.
2. Privacy policy on the site, last reviewed inside the last 12 months.
3. Tutor contract includes the DPA clauses.
4. One-click SAR export available.
5. Defined retention periods, applied automatically.
6. Documented list of sub-processors with country + DPF status.
7. Breach-reporting playbook (who to call, what to send, by when).

Most agencies get to about 3 of those 7 and stop. The remaining 4 are what gets you in trouble if a parent complains. Worth a weekend to close all of them.