GDPR. Does It Apply To Your School?

GDPR. Does It Apply To Your School?

Top 5 Questions You Need to Ask to Understand If GDPR Applies to Your Organization

1 – What is GDPR?

General Data Protection Regulation (GDPR) is a set of provisions passed by the European Union (EU) governing how data can be collected, used and shared. The requirements will come into effect on May 25, 2108 with the goal to give EU citizens and residents control over their personal data and to simplify the regulatory environment for international business.

2 – Can GDPR apply to private schools in the US and Canada?

Yes. GDPR may apply to schools in two ways.  

First, some schools may have enough presence in the EU such that the law would consider the school “established” in the EU and therefore subject to its regulations. GDPR is not clear on what factors constitute “established”, but schools may want to consider if they have a campus in the EU, have a study abroad program in the EU, work with corporate partners based in the EU, employ staff in the EU or are otherwise “established” in the EU.

Second, GDPR applies to organizations that either “control” (i.e. collect) personal data from EU residents, or “process” (i.e. store, utilize) that data on behalf of a data controller such as a cloud service provider. Depending on the school’s situation, it may be both a controller and processor of data. More often than not, schools may use companies to collect and process data from EU residents. These companies would very likely be subject to GRDP. Finally, it is important to be prepared for responding to EU residents connected to your school who are aware of GDPR and may ask or request how your school is respecting the regulation provisions.  

While GDPR is clearly broad and far-reaching, there is certainly an open question as to whether the EU can enforce its provisions on a school operating outside of its jurisdiction.

3 – What is ‘personal data’ as defined by GDPR?

Personal data may include any information that can directly or indirectly identify a person. For schools, this data may include:

  • Photographs or videos of an identifiable face or with attached metadata
  • Social media posts with descriptions and tagged people
  • Medical information
  • IP addresses

Personal data may also be much broader depending on how exactly an institution’s current data privacy policies define personal or student information.

4 – How do we know if our school is a ‘data controller’?

If you are actively collecting information from EU residents (students or parents), you are likely consider a data controller under GDPR. A few common areas where a school may be collecting data of EU residents are through:

  • Application process
  • Forms related to accepted students from the EU
  • Contact information collection forms
  • Alumni relations
  • Donor information

If these are areas where you collecting personal data of EU residents, it’s a good idea to seek further legal advice on how GDPR may apply to your school.

5 – What are ‘data processors’ and what are examples of these services that might be used at our school?

If your school is collecting personal data from EU residents, then you may be processing and storing that data internally or externally. If internally, you may also be a data processor under the regulation. More likely you are using third parties to process and store that personal data. Some examples of data processors are:

  • Student information systems (SIS)
  • Learning management platform
  • Cloud storage services (Google, Amazon)
  • Media management tools (Vidigami)
  • Mailing list providers (mailchimp)
  • Student medical information systems
  • Fundraising and donor management systems

While there remains a lot of open questions about GDPR, best practices would indicate that US and Canadian-based schools should work to comply with GDPR requirements and ensure that all their “data processors” do the same.

Vidigami is both a data controller (asking for personal data such as photos and names) as well as a data processor (hosting and maintaining that data for the school). Thus, Vidigami is GDPR-compliant and is prepared to manage personal data in the form of media privately and securely. For more information on how the platform can benefit your school and protect student information, please reach out to



Rules for the protection of personal data inside and outside the EU

Is Your Institution Ready for GDPR?

By |2018-05-17T08:56:30+00:00May 17th, 2018|Privacy and Security|0 Comments

About the Author:

Leave A Comment