diff --git a/app/views/pages/terms_and_conditions.html.erb b/app/views/pages/terms_and_conditions.html.erb
index ed2e2ef4d7..1f7ab23e2b 100644
--- a/app/views/pages/terms_and_conditions.html.erb
+++ b/app/views/pages/terms_and_conditions.html.erb
@@ -163,7 +163,7 @@
                 By accepting school experience applications through the Service, you agree that:
             </p>
                 <ul class="govuk-list govuk-list--bullet">
-                    <li>once you receive an application from a school experience candidate, it's your responsibility to adhere to General Data Protection Regulation (GDPR) requirements</li>
+                    <li>once you receive an application from a school experience candidate, it's your responsibility to adhere to UK General Data Protection Regulation (UK GDPR) requirements</li>
                     <li>you're responsible for destroying any digital, downloaded, printed or saved copies of a school experience request</li>
                     <li>you must not share requests received through the Service with anyone other than those involved in the school experience process from the school, trust, board or local authority</li>
                     <li>you must ensure that appropriate measures are in place to guarantee the protection of personal data in applications</li>
@@ -173,10 +173,14 @@
             </p>
         <h3 class="govuk-heading-s">Data storage, retention and destruction</h3>
             <p>
-                You must store shared data securely and have appropriate safeguards in place to protect data against unlawful or unauthorised processing. Personal data must be kept only as long as needed to carry out activities relating to administering school experience.
+                You must store shared data securely and have appropriate technical and organisational safeguards in place to protect data against unlawful or unauthorised processing.
+                You must ensure to ensure that all Personal Data are sufficiently protected against any Personal Data Breach (as defined in Data Protection Legislation) and that the requirements of Article 32 of the UK GDPR are met at all times.
+                Personal data must be kept only as long as needed to carry out activities relating to administering school experience.
             </p>
+            <p> If you become aware of any Personal Data Breach, or unauthorised processing of data obtained through the service, you must inform us by email at <%= link_to 'organise.school-experience@education.gov.uk', 'mailto:organise.school-experience@education.gov.uk' %> immediately.
             <p>
-                You must set an appropriate time limit, in line with GDPR requirements, for retaining data before erasure or review.
+                As a processor of data, you must set an appropriate time limit, in line with UK GDPR requirements, for retaining data before erasure or review.
+                We base this on the needs of the department and the law. We keep data for up to 7 years in this instance.
             </p>
             <p>
                 You should destroy the data when it is no longer needed, or when the retention schedule has expired.
@@ -184,6 +188,9 @@
             <p>
                 You should follow the National Cyber Security Centre (NCSC) guidance for secure sanitisation.
             </p>
+            <p>
+                You shall maintain complete and accurate records to demonstrate your compliance with these Terms and Data Protection Legislation.
+            </p>
         <h3 class="govuk-heading-s">Access to the Service</h3>
             <p>
                 We will not be liable if for any reason the Service is unavailable at any time or for any period. From time to time, we may restrict access to all or some parts of the Service to users who have registered with us.
diff --git a/app/views/schools/on_boarding/profiles/onboarding.html.erb b/app/views/schools/on_boarding/profiles/onboarding.html.erb
index 0c26901f73..2cef70cf6f 100644
--- a/app/views/schools/on_boarding/profiles/onboarding.html.erb
+++ b/app/views/schools/on_boarding/profiles/onboarding.html.erb
@@ -39,7 +39,7 @@
           <p>
           <ul class="govuk-list govuk-list--bullet">
             <li>the details you’re providing are correct</li>
-            <li>you agree to manage the data you receive in line with current GDPR regulations</li>
+            <li>you agree to manage the data you receive in line with current UK GDPR regulations</li>
             <li>you accept our <a href="/schools_privacy_policy" class="govuk-link">privacy policy</a></li>
           </ul>
           </p>