Schools hold some of the most sensitive personal data of any organisation. Think about it for a moment. Student medical records. Safeguarding disclosures. Special educational needs assessments. Staff disciplinary files. Parent financial information for bursaries. All of it sitting in your systems right now.
Yet when school leaders are asked how confident they are in their GDPR compliance, the answer is usually a vague "I think we're fine." That is not confidence; it is hope. Here is what school leaders actually need to know.
A note on jurisdiction: this post uses UK GDPR as its primary reference, drawing on ICO guidance and UK-specific frameworks. The underlying principles — lawful basis, data minimisation, retention, processor accountability — apply broadly across most modern data protection regimes. But the specific legal requirements, regulatory bodies, and enforcement thresholds vary by country. Schools operating in Southeast Asia, the Middle East, or other regions should treat this as a framework overview and verify the applicable obligations for their jurisdiction.
You Are the Data Controller
This is the starting point and the bit many schools still get wrong. Your school is the data controller. Not your IT provider. Not your MIS vendor. Not the company that hosts your email. You.
Being the data controller means the school decides why personal data is collected, what it is used for, and how long it is kept. If something goes wrong, whether a breach, a complaint, or an ICO investigation, responsibility sits with the school. Data processing can be outsourced; accountability cannot.
This matters because schools that use a cloud-based MIS sometimes assume data protection is "handled." It isn't. The MIS provider processes data on the school's behalf, under the school's instructions. A written data processing agreement is required, spelling out exactly what the provider can and cannot do with the information. If that agreement does not exist, or has never been read, that is a compliance gap.
Lawful Basis: It's Not Always Consent
Here's something that trips schools up constantly. You don't need parental consent for everything. In fact, consent is often the wrong lawful basis for schools to rely on.
GDPR gives you six lawful bases for processing personal data. The two that matter most in schools are legitimate interest and legal obligation. You process student attendance data because you're legally required to. You process exam results because you have a legitimate interest in providing education. You process medical information because you have a duty of care.
Consent should be a last resort, not the default. The reason is that consent must be freely given, and the power imbalance between a school and a parent makes "freely given" genuinely questionable. If a parent feels they cannot say no without it affecting their child, that is not real consent. Use consent only where there is a genuine choice, such as school trip photographs on social media or marketing communications.
Consent should be your last resort, not your default. The power imbalance between a school and a parent makes "freely given" difficult to demonstrate.
Data Minimisation: Stop Collecting What You Don't Need
This principle is simple and almost universally ignored. Only collect personal data you actually need for a specific purpose. Not data that might be useful someday. Not data that "it would be good to have." Data you need, now, for a stated reason.
How many fields in your admissions form are actually necessary? Do you need a parent's occupation to process an application? Do you need the child's passport number at the enquiry stage? Do you need dietary preferences before the family has even accepted a place?
Every piece of data you collect is a piece of data you have to protect, store, respond to in a subject access request, and eventually delete. Less data means less risk. It's that simple.
Retention: How Long Is Too Long?
This is the question every school asks and nobody gives a straight answer to. The honest answer is that there is no single rule. It depends on the type of data and why you hold it.
Student academic records: most schools keep these for a reasonable period after the student leaves. The IRMS toolkit, which many UK schools use as guidance, suggests 25 years for the primary record. Safeguarding records may need to be kept for 75 years in serious cases. Routine correspondence is probably 3 years at most. CCTV footage: 30 days is standard unless there is a specific reason to retain it longer. Schools outside the UK will have different applicable schedules depending on their jurisdiction and school type — the specific periods above are UK reference points only. Whatever the applicable framework, retention periods must be formally documented and applied through regular deletion and archiving routines, not just stated in a policy that nobody acts on.
The point is that every school needs a retention schedule: a written document that specifies what type of data is kept for how long, and then deleted. Without one, data is almost certainly being retained longer than required, and that is a compliance risk.
Third-Party Processors: Every EdTech Vendor Counts
Count the number of third-party systems that hold your student data. Your MIS. Your learning platform. Your email provider. Your parent communication app. Your online assessment tools. Your photo consent system. Your catering payment platform. Your visitor management system.
Some schools are running more than 30 different systems that process personal data, each of which is a data processor requiring a data processing agreement and needing to meet the school's security standards.
When did you last audit your edtech vendors? Do you know where each one stores data? Is it in the UK? The EU? The US? If it's the US, do you have appropriate safeguards in place following the Schrems II ruling, including Standard Contractual Clauses, transfer impact assessments, and any supplementary technical or organisational measures required in light of that assessment? These are not theoretical questions. They are the ones the ICO will ask if something goes wrong.
Third-party processor governance is one of the areas IRIS5 assesses in its governance dimension — specifically whether schools have a current register of data processors, written agreements in place, and a review cadence. It's consistently one of the weaker areas in light audit self-assessments, which suggests most schools already know it's a gap.
Subject Access Requests: The One That Catches Everyone Off Guard
A parent has the right to request all the personal data you hold about their child. All of it. Emails mentioning the child by name. Staff meeting notes. SEND records. Behaviour logs. Internal communications between teachers about the child's progress or conduct.
You have 30 calendar days to respond. Not 30 working days. Calendar days. In complex cases, an extension of up to two further months is permitted, but only if the requestor is informed of the delay and the reason within the first month. The response must also be complete: sending only the easy parts and hoping the requestor does not notice is not compliant.
Schools that get SARs wrong usually fail for one of two reasons. Either they can't find the data because it's scattered across dozens of systems, personal email accounts, and handwritten notes. Or they try to redact too much and face a complaint that the response was incomplete.
The practical solution: know where your data lives before someone asks for it. Run a mock SAR internally. Pick a fictitious student name and try to pull together everything you'd need to disclose. If that exercise takes more than a day, you have a data management problem that needs fixing before a real request arrives.
What Actually Trips Schools Up
It's rarely the big stuff. Schools generally understand they can't leave student files in an unlocked cupboard. What catches them is the everyday things:
- Staff using personal email accounts for school communications that contain student data
- WhatsApp groups between teachers that mention students by name
- Old laptops decommissioned without data being wiped
- Leavers' accounts still active months after they left
- Paper records from the pre-digital era sitting in a storage room that nobody's looked at in years
None of these are dramatic. All of them are compliance failures. And all of them are fixable with a bit of attention and a clear policy.
GDPR compliance isn't about perfection. It's about having a system, following it, documenting what you do, and fixing gaps when you find them. Schools that treat data protection as a living process rather than a one-off training session are the ones that handle it well. The bar isn't impossibly high. But you do need to clear it.
How Does Your Data Compliance Stack Up?
IRIS5's governance dimension includes data protection indicators that flag gaps in your compliance posture. Built with privacy at its core: your original documents are never stored.
Start Your Free Assessment