GDPR is the 'General Data Protection Regulation' legislation, which is in force from 25 May 2018. Introduced to unify all EU member states' approaches to data regulation, it ensures all data protection laws are applied identically in every country within the EU. It protects EU citizens from organisations using their data irresponsibly and puts them in charge of what, where and how their information is shared.
Even though the UK is due to leave Europe, it will still apply to all organisations handling EU residents' data, effectively replacing the Data Protection Act 1998.
For further information about GDPR and the rights of pupils and parents concerning their data, please see the Information Commissioner's Office website.