The data of more than 1,000 pupils at a Kent school was exposed when an unencrypted memory stick was lost.
The stick held information on every pupil at Rochester Grammar School.
It included the names, years, school house, date of birth, email address and special educational needs of the pupils as well as target and attainment grades, and whether they speak English.
The school has apologised and referred itself to the Information Commissioner's Office.
A letter has been sent to parents since the loss explaining that the stick was handed in by a member of the public and the school has "no reason to believe the information has been shared".
A spokesperson for the Thinking Schools Academy Trust, which runs the school, said it places "the highest premium possible on data security" and it is "exceptionally disappointing" that strict policies and procedures were not followed.
The trust added: "We would like to apologise to every student, and their families, for this incident.
"We can provide parents with the data on their child that was lost and would like to reassure them that, although the loss is unacceptable, the information gives no access to student systems."
An Information Commissioner's Office (ICO) spokesperson confirmed it had received notice of a breach.
General Data Protection Regulation (GDPR), which came into effect on 25 May, gives Europeans more data protection rights and threatens giant fines for organisations that do not comply.
Under the new rules, businesses must report any data breaches to the Information Commissioner's Office within 72 hours if they have "potential negative consequences for individuals".