GDPR and Student Data: What International Schools Actually Need to Ask

International schools are, by design, complex institutions. Teachers hold credentials from multiple countries. Students carry passports from a dozen different jurisdictions. The school may be chartered in one country, physically based in another, and formally affiliated with an accreditation body somewhere else entirely. Into that complexity, schools load digital tools at a rapid pace: learning management systems, communication platforms, behavior trackers, progress monitoring apps, translation services.

Most of those tools collect personally identifiable information about students. Most schools never formally evaluate that collection until a compliance audit arrives, a parent submits a formal access request, or an IT incident forces the question.

This guide is not legal advice, and it is not a complete compliance checklist. It is a plain-language map of the data protection questions international schools should be asking, where the real risk tends to accumulate, and what honest evaluation of a vendor actually looks like.

What "GDPR" Actually Means for a School Outside the EU

The EU's General Data Protection Regulation is frequently described as a European law. The scope is broader than that.

GDPR applies to any organization that processes the personal data of individuals who are in the European Union, regardless of where the organization is located. An international school in Southeast Asia, the Gulf, or Sub-Saharan Africa that enrolls students with EU residency is processing data that falls under GDPR when handled by that school or its vendors. Geographic location of the school is not the determining factor. The location of the data subjects is.

Beyond GDPR itself, most major jurisdictions have enacted national frameworks that follow similar principles. The United Kingdom's UK GDPR closely mirrors the EU version post-Brexit. Switzerland, Brazil, India, South Korea, and dozens of other countries have either enacted or are actively implementing comparable legislation. International schools routinely serve families whose rights are governed by three or four different national frameworks simultaneously.

The practical implication: rather than trying to determine which specific law governs each family, it is safer and more defensible to design your data practices around the highest standard your student population requires, and to evaluate every tool accordingly.

The Questions That Actually Matter

Data protection frameworks differ in their specifics, but the core requirements they share point to the same set of practical questions.

Data minimization. Does the tool collect only what it genuinely needs? A well-being documentation platform that requests home addresses or student photographs when it only needs a name and class assignment is collecting more than necessary. Excess data creates excess risk.

Lawful basis. Under GDPR and most equivalents, every data processing activity requires a documented legal basis. For schools, this is typically "legitimate interests" or "performance of a task in the public interest," not consent. When a vendor asks students or families to "agree to terms of service," your data protection officer should evaluate whether that constitutes a valid legal basis for the processing being performed.

Data residency. GDPR restricts the transfer of personal data to countries that lack adequate protection, unless specific safeguards are in place (Standard Contractual Clauses being the most common mechanism). Before adopting any cloud-based tool, know where its infrastructure is physically located and how it handles cross-border data transfers.

Sub-processors. Your vendor almost certainly uses third-party services for hosting, email delivery, analytics, or customer support. A compliant vendor discloses its sub-processor list and contractually requires those sub-processors to meet the same standards.

Retention and deletion. What is the vendor's data retention policy? What happens to student records when a student leaves, when your contract ends, or when a parent submits a deletion request? There should be clear, documented answers to all three.

Access controls. Who inside the vendor's organization can access your school's data? Under what circumstances? Is that access logged and auditable?

A signed Data Processing Agreement. A DPA is the document that formalizes the legal relationship between your school (the data controller) and the vendor (the data processor). It defines what data is collected, how it is protected, who has access, how long it is retained, and what the vendor will do in the event of a breach. Without a signed DPA, you are operating without formal legal accountability from your vendor. This is the single most important document to request.

Where the Real Risk Usually Hides

Data protection problems in schools are often framed as a technology compliance problem. In practice, the risk is more often behavioral.

The shadow tool problem: a teacher finds a free attendance or progress tracking app that looks genuinely useful. They start entering student names and performance data. No one evaluated whether the app has a DPA, where its data is stored, or whether student records can be deleted when the teacher stops using it. Multiply this by dozens of teachers across a large campus and the exposure accumulates quickly.

Exported spreadsheets are a related risk. A teacher exports a class list from the student information system, emails it to a colleague for a meeting, and the file ends up on a personal device with no deletion date. Once data leaves a controlled system, it is effectively unauditable and cannot be deleted on request.

Screenshots shared in parent communication platforms carry the same risk. A screenshot of a behavior log is still personally identifiable student data, with no retention controls and no deletion mechanism.

The common thread is the absence of a deletion path. Data inside a controlled system with defined retention periods can be managed, audited, and deleted on request. Data outside that system generally cannot.

How to Evaluate a Vendor Honestly

Request the DPA before the commercial conversation advances. A vendor who can provide one quickly and without pushback has thought seriously about data protection. A vendor who needs to "check whether we have one" may not have.

Ask specifically who at the vendor organization can access your school's data, and under what circumstances. Routine support and debugging should not require access to live student records.

Ask how a parent's right to erasure request is handled end to end. Your vendor should be able to walk through exactly what happens in their system when you submit that request, including confirmation that deletion is permanent.

Be appropriately skeptical of blanket claims. A vendor who says they are "fully GDPR compliant" is offering a marketing statement, not a legal commitment. Compliance is not a fixed certification that can be earned once and then held indefinitely. What matters in practice is whether the vendor provides a DPA your data protection officer can review, documents its sub-processors clearly, and can actually execute deletion and export requests on demand.

Evident's Approach

Evident provides behavior and well-being documentation built for international schools. The platform is designed around data-minimal, access-controlled workflows: teachers capture structured evidence notes, role-based permissions control visibility across staff, and the access audit trail is available to school administrators.

A few things to understand before you evaluate us. Evident runs on US-hosted infrastructure. That means data transfers from EU-resident students require Standard Contractual Clauses, and we provide the relevant documentation on request.

Evident does not claim a GDPR certification. We provide a signed DPA, data-minimal and access-controlled workflows, and export and permanent-delete controls, and we expect your data protection officer to review the DPA.

One scope clarification worth stating plainly: Evident is not a statutory safeguarding case-management system. The platform documents day-to-day behavior and well-being evidence for teachers and school counselors. For formal child protection case management, schools should use a purpose-built system alongside Evident.

If you are working through a structured review of your current tool stack, a practical data-protection checklist covers the specific questions to put to every vendor. And for the specifics of how we store, protect, and delete your school's data, see how Evident handles your school's data.