Data Protection Guide

GDPR Compliance for
School Communication Systems

UK GDPR places specific obligations on schools when using third-party platforms to communicate with parents. This guide explains what compliance requires and how to assess whether your current or prospective platform meets the standard.

Book a demo

Why school communication platforms raise GDPR concerns

When a school uses a third-party platform to send messages to parents, that platform processes personal data — parent names, email addresses, phone numbers, and potentially pupil data pulled from the school's MIS. Under UK GDPR, the school remains the data controller (the organisation responsible for the data) while the platform is a data processor (processing data on the school's behalf).

This relationship creates a set of legal and contractual requirements that many schools — and many platform providers — do not fully address. The consequences of non-compliance range from ICO enforcement action to parent complaints and reputational damage.

Common compliance gap: Many schools are using communication platforms without a signed Data Processing Agreement (DPA). This is a legal requirement under UK GDPR Article 28, not a best-practice recommendation. If your platform does not offer a DPA, or has not provided one, this requires immediate attention.

The five key compliance requirements

1. Data Processing Agreement (DPA)

Any third-party data processor must have a written DPA with the school. The DPA must specify: what data is processed, for what purpose, for how long, who has access, what security measures are in place, and what happens to data when the contract ends. MySchoolUpdate provides a standard DPA to all schools as part of the setup process.

2. Data storage location

UK GDPR restricts where personal data can be stored. Data stored in the UK or within adequate countries is straightforward. Data stored in the US or other countries requires additional safeguards — standard contractual clauses (SCCs) or other transfer mechanisms — which add complexity and risk. Prefer platforms that store data exclusively in the UK.

3. Lawful basis for processing

Schools must identify and document the lawful basis for each type of communication. For operational communications (absence alerts, emergency notifications, safeguarding messages), "legitimate interests" or "public task" is typically appropriate. For optional communications (fundraising, commercial content from partners), "consent" is required. This distinction must be documented in the school's privacy notice.

4. Privacy notice and transparency

Parents must be informed that their data is shared with the communication platform, what it is used for, and how they can exercise their rights (access, rectification, erasure). This should be documented in the school's parent-facing privacy notice, updated when a new platform is introduced.

5. Subject Access Request (SAR) capability

Parents can request all data a school holds about them under UK GDPR's right of access. A school must be able to produce, within 30 days, all communications sent to a parent and the contact data held for them. The platform must be capable of generating a data export for this purpose.

GDPR compliance audit checklist for your communication platform

Platform comparison: GDPR-relevant features

GDPR factorMySchoolUpdateClassDojoGeneric SaaS platforms
Data stored in UKYesUS-basedVaries — check carefully
DPA provided as standardYesOn requestVaries
SAR data export capabilityYesLimitedVaries
No third-party marketing use of dataConfirmedPrivacy policy caveatsVaries
Wonde-approved data gatewayYes — Wonde is DfE-approvedNo MIS integrationDirect MIS access (higher risk)
Wonde and GDPR: MySchoolUpdate uses Wonde to connect to the school MIS. Wonde is an approved data sharing gateway endorsed by the Department for Education. Rather than platforms accessing MIS data directly, Wonde acts as a controlled intermediary — limiting what data is shared and providing an audit trail. This is the DfE's recommended approach for third-party MIS access.

Frequently asked questions

Do schools need a DPA with their communication platform?

Yes. Under UK GDPR Article 28, any data processor must have a written DPA with the data controller (the school). This is a legal requirement, not optional guidance. Contact your platform provider if you do not have one in place.

What lawful basis should schools use for parent communications?

For operational and safeguarding communications: "legitimate interests" or "public task." For optional or marketing-type communications: "consent." Document your lawful basis in the school's privacy notice and review it when the communication purpose changes.

Can schools use US-based communication platforms?

With additional safeguards, yes. Standard contractual clauses and a transfer impact assessment are required. In practice, UK-based platforms are significantly lower risk and simpler to implement compliantly. For most schools, choosing UK storage is the pragmatic recommendation.

MySchoolUpdate is GDPR-compliant by design

UK data storage, DPA provided as standard, Wonde-approved MIS access, and no third-party data sharing. Book a demo to see how the platform handles data protection in practice.

Book demo Learn more

Related guides

Safeguarding & Messaging  ·  Ofsted & Communication  ·  Going Paperless