Get in touch Call us+44 203 507 0033

GDPR and education: what you need to know

Search for GDPR in higher education and you will find as much confusion as guidance. Universities asking whether they are covered, US colleges wondering if a regulation written for Europe applies to them, and schools unsure whether a single staff spreadsheet counts as a data breach waiting to happen. The honest answer is that GDPR applies more broadly across the education sector than most institutions realise, and getting it wrong carries real financial and reputational risk. This guide breaks down who is covered, what compliance actually requires, and where most education providers go wrong.

Key takeaways

  • GDPR applies directly to UK and EU schools, colleges and universities, and applies to US institutions whenever they handle personal data belonging to EU or UK students, staff or applicants.
  • Any school or university processing personal data needs a lawful basis for that processing, consent is only one of six options, not the default.
  • Most UK schools and colleges are classed as public authorities under GDPR, which means they are required to appoint a Data Protection Officer.
  • GDPR and the US's FERPA are not the same law and do not require the same actions, even though both deal with student data.
  • The most common compliance failure in education is not the institution itself, but third-party EdTech tools and vendors handling student data without a proper agreement in place.

What is GDPR, and why does it matter for schools and universities

GDPR, the General Data Protection Regulation, is the EU's data protection law, with the UK GDPR operating as its near-identical equivalent since Brexit. It governs how organisations collect, store, use and share personal data, and it applies regardless of sector. Whether you are searching for gdpr compliance higher education, gdpr compliance for higher education or gdpr compliance college, the underlying requirements are the same across institution types.

Education makes for a particularly high-stakes application of GDPR, because the data involved is unusually sensitive. Student records routinely include academic performance, health and special educational needs information, and safeguarding notes, much of it belonging to minors who cannot legally consent to its use themselves.

Does GDPR apply to US schools and universities

Understanding GDPR application across borders is the first step for any international institution, and this is the single most searched question in this entire topic. The answer is not a simple yes or no. GDPR applies based on whose data is being processed, not where the institution is physically located.

  • A US university with an EU or UK study-abroad partnership, exchange programme or international student population is processing EU or UK personal data, and GDPR applies to that processing.
  • A US school running an online course, summer programme or virtual classroom that EU or UK residents can access is also likely in scope, depending on how the offering is marketed and delivered.
  • A purely domestic US institution with no EU or UK staff, students or applicants generally falls outside GDPR's scope, though FERPA and US state privacy laws still apply.
  • GDPR compliance in the US therefore depends on your actual student and applicant population, not your headquarters address.

Who has to comply with GDPR in education

Compliance obligations extend well beyond the institution's own administration team, and this applies just as much to GDPR compliance for adult education providers as it does to traditional schools and universities.

  • Schools, colleges and universities themselves, as data controllers for student, staff and applicant data.
  • EdTech vendors and software providers, as data processors handling that data on the institution's behalf.
  • Third-party services such as payment providers, communication tools and analytics platforms used by the institution.
  • Multi-academy trusts and group structures, who often share data across member schools.

That list answers who is affected by GDPR compliance within a typical institution, and it is exactly why the systems your institution actually uses matter so much.

What GDPR compliance actually requires

Compliance comes down to a handful of core obligations, the kind of answer most people are really after when they search what are GDPR requirements, even though the legal text itself runs to dozens of articles.

Requirement What it means in practice
Lawful basis for processing Identify and document why you are processing each category of data. Consent is only one of six options.
Data minimisation Collect and retain only the data genuinely needed for the stated purpose.
Consent for minors Age-appropriate consent processes, often requiring parental involvement below a certain age.
Data Protection Officer Most UK schools and colleges, as public authorities, are required to appoint one.
Breach notification Reportable breaches must be notified to the regulator within 72 hours of discovery.
Data retention policy Clear, documented timeframes for how long each type of record is kept.


The ICO's Children's Code sets out 15 standards that online services likely to be accessed by children, including many EdTech tools and platforms, must follow to protect young users' data. That code applies well beyond social media, and most schools using third-party apps or platforms with under-18 users fall within its scope whether they realise it or not. 

GDPR vs FERPA, what US institutions need to know

US institutions in particular tend to assume FERPA compliance covers them for GDPR too. It does not. Pursuing gdpr compliance USA strategies and gdpr compliance in the United States separately from FERPA compliance is usually the safer approach, even though both laws ultimately exist to protect student data.

Factor GDPR FERPA
Geographic scope Applies based on whose data is processed, anywhere in the world Applies to US institutions receiving federal funding
What it protects All personal data, not just education records Specifically education records held by the institution
Consent requirements Six lawful bases, consent is one option among several Primarily consent-based, with listed exceptions
Enforcement Fines of up to £17.5 million or 4% of global annual turnover Loss of federal funding, not direct financial penalties
Breach notification Mandatory within 72 hours for qualifying breaches No equivalent mandatory timeframe

Common GDPR compliance mistakes in education

These are the mistakes that come up most often, regardless of institution size.

1. Signing up to EdTech tools and platforms without a data processing agreement in place.

2. Keeping student and applicant data indefinitely, rather than against a documented retention schedule.

3. Treating consent as the default lawful basis for everything, when it is often the weakest option available.

4. Having no clear process for verifying age or obtaining parental consent for younger students.

5. Relying on shared spreadsheets and personal email accounts instead of systems with proper access controls.

6. Treating the school or university website as exempt from gdpr compliance website requirements, when contact forms, cookies and admissions portals all process personal data.

Several of these mistakes trace back to the underlying systems rather than policy on paper.

How to build GDPR compliance into your systems, not bolt it on after

Retrofitting compliance onto an existing system is always harder, and usually more expensive, than designing for it from the outset. Role-based access, audit trails, data retention rules and consent management all work better as architecture decisions than as policy documents nobody reads. Knowing how to be GDPR compliant on paper matters far less than building systems that make compliance the default behaviour.

Our work with Lord Wandsworth College on data visibility and admissions systems is a good example of what well-structured data governance looks like in practice, even though that particular project was not framed as a compliance exercise. The same principles, clean data architecture, clear access controls and proper reporting, apply directly to GDPR readiness.

If your institution is building or replacing a system that touches student data, whether that is a new LMS, a student management platform or a broader EdTech tool, our EdTech Software Development team builds a clear GDPR roadmap into the architecture from day one, rather than patching compliance in afterwards. For a broader, cross-industry look at this same problem, our guide on AI and data privacy covers the same principles outside of education specifically.

Final thoughts

GDPR and education compliance is not a one-time checklist. It is an ongoing responsibility that touches every system handling student or staff data, from admissions to learning platforms to communication tools. Getting the foundations right, lawful basis, data minimisation, proper vendor agreements and systems built with compliance in mind, protects students and reduces institutional risk in equal measure. If your institution needs systems built around these requirements from the ground up, Geeks' EdTech Software Development team can help.

FAQs

Does GDPR apply to US schools and universities?

Yes, whenever the institution processes personal data belonging to EU or UK students, staff or applicants. A purely domestic US institution with no EU or UK connection generally falls outside GDPR's scope, but most universities with any international programme will have some exposure.

What happens if a school or university is not GDPR compliant?

The ICO can issue fines of up to £17.5 million or 4% of global annual turnover, whichever is higher, alongside formal enforcement action and reputational damage. In practice, most early-stage non-compliance is addressed through guidance and corrective action rather than an immediate fine.

Do EdTech vendors need their own GDPR compliance, separate from the school?

Yes. Vendors processing student data on a school's behalf are data processors in their own right, and need a data processing agreement with the institution, alongside their own security and compliance measures.

Is parental consent required for under-13s under GDPR?

Generally yes, for processing based on consent specifically. The exact age threshold varies slightly between EU member states and the UK, so institutions need to check the specific rule that applies to their jurisdiction rather than assuming one age fits everywhere.

What does GDPR compliant mean for a school or university?

Being GDPR compliant means an institution can demonstrate a lawful basis for every type of data it processes, keeps that data only as long as necessary, and can show appropriate security and accountability measures are in place. It is not a one-off certificate, but an ongoing standard of practice.

Is GDPR the same as FERPA?

No. They are separate laws with different scope, different enforcement mechanisms and different requirements, even though both deal with student data. An institution compliant with one is not automatically compliant with the other.

Geeks Ltd