Why school communication platforms raise GDPR concerns
When a school uses a third-party platform to send messages to parents, that platform processes personal data — parent names, email addresses, phone numbers, and potentially pupil data pulled from the school's MIS. Under UK GDPR, the school remains the data controller (the organisation responsible for the data) while the platform is a data processor (processing data on the school's behalf).
This relationship creates a set of legal and contractual requirements that many schools — and many platform providers — do not fully address. The consequences of non-compliance range from ICO enforcement action to parent complaints and reputational damage.
The five key compliance requirements
1. Data Processing Agreement (DPA)
Any third-party data processor must have a written DPA with the school. The DPA must specify: what data is processed, for what purpose, for how long, who has access, what security measures are in place, and what happens to data when the contract ends. MySchoolUpdate provides a standard DPA to all schools as part of the setup process.
2. Data storage location
UK GDPR restricts where personal data can be stored. Data stored in the UK or within adequate countries is straightforward. Data stored in the US or other countries requires additional safeguards — standard contractual clauses (SCCs) or other transfer mechanisms — which add complexity and risk. Prefer platforms that store data exclusively in the UK.
3. Lawful basis for processing
Schools must identify and document the lawful basis for each type of communication. For operational communications (absence alerts, emergency notifications, safeguarding messages), "legitimate interests" or "public task" is typically appropriate. For optional communications (fundraising, commercial content from partners), "consent" is required. This distinction must be documented in the school's privacy notice.
4. Privacy notice and transparency
Parents must be informed that their data is shared with the communication platform, what it is used for, and how they can exercise their rights (access, rectification, erasure). This should be documented in the school's parent-facing privacy notice, updated when a new platform is introduced.
5. Subject Access Request (SAR) capability
Parents can request all data a school holds about them under UK GDPR's right of access. A school must be able to produce, within 30 days, all communications sent to a parent and the contact data held for them. The platform must be capable of generating a data export for this purpose.
GDPR compliance audit checklist for your communication platform
- A signed Data Processing Agreement (DPA) is in place with the platform provider
- The DPA specifies the categories of data processed and the purposes
- Data is stored in the UK (or an adequate country with appropriate transfer safeguards documented)
- The school's privacy notice references the communication platform and is up to date
- The lawful basis for each communication type is documented
- The platform can generate a data export for Subject Access Requests within the 30-day window
- A data deletion process is documented for when pupils leave or parents withdraw consent
- Staff using the platform have received appropriate data protection training
- The platform has been added to the school's data asset register
- The platform's sub-processors are disclosed and reviewed
Platform comparison: GDPR-relevant features
| GDPR factor | MySchoolUpdate | ClassDojo | Generic SaaS platforms |
|---|---|---|---|
| Data stored in UK | Yes | US-based | Varies — check carefully |
| DPA provided as standard | Yes | On request | Varies |
| SAR data export capability | Yes | Limited | Varies |
| No third-party marketing use of data | Confirmed | Privacy policy caveats | Varies |
| Wonde-approved data gateway | Yes — Wonde is DfE-approved | No MIS integration | Direct MIS access (higher risk) |
Frequently asked questions
Do schools need a DPA with their communication platform?
Yes. Under UK GDPR Article 28, any data processor must have a written DPA with the data controller (the school). This is a legal requirement, not optional guidance. Contact your platform provider if you do not have one in place.
What lawful basis should schools use for parent communications?
For operational and safeguarding communications: "legitimate interests" or "public task." For optional or marketing-type communications: "consent." Document your lawful basis in the school's privacy notice and review it when the communication purpose changes.
Can schools use US-based communication platforms?
With additional safeguards, yes. Standard contractual clauses and a transfer impact assessment are required. In practice, UK-based platforms are significantly lower risk and simpler to implement compliantly. For most schools, choosing UK storage is the pragmatic recommendation.
MySchoolUpdate is GDPR-compliant by design
UK data storage, DPA provided as standard, Wonde-approved MIS access, and no third-party data sharing. Book a demo to see how the platform handles data protection in practice.
Book demo Learn moreRelated guides
Safeguarding & Messaging · Ofsted & Communication · Going Paperless