GDPR Compliance for School Data Migration: Complete European Schools Guide
Table of Contents
- GDPR Basics for Schools
- GDPR vs FERPA: Key Differences
- Data Protection Impact Assessment (DPIA) Template
- Data Subject Rights During Migration
- International Data Transfers (EU to US)
- Breach Notification Requirements (72 Hours)
- Lawful Basis for Processing Student Data
- GDPR Migration Compliance Checklist
GDPR Basics for Schools
The General Data Protection Regulation (GDPR) is a European Union regulation that protects the personal data of individuals within the EU. For schools, GDPR applies regardless of where the school is physically located if it processes data of EU residents. This means European schools (including international schools in the EU) and any school that enrolls EU students must comply.
Key GDPR Concepts for School Data Migration
- Personal Data: Any information relating to an identified or identifiable natural person (student names, addresses, grades, attendance, disciplinary records, health information, photos)
- Special Category Data: More sensitive data requiring higher protection (health information, biometric data, religious/political beliefs, special education needs)
- Data Controller: The school (determines purpose and means of processing)
- Data Processor: Vendor or consultant handling data on school's behalf (must sign Data Processing Agreement)
- Data Subject: The student (or parent for minors)
⚠️ Critical: GDPR applies to data migration activities. Moving student data from one system to another is "processing" under GDPR and requires a lawful basis, transparency with data subjects, and appropriate security measures.
GDPR vs FERPA: Key Differences for Migration
| Requirement | GDPR (EU) | FERPA (US) |
|---|---|---|
| Consent Requirement | Explicit opt-in required for most processing, can be withdrawn anytime | Consent not required for school official functions; written consent required for redisclosure |
| Breach Notification | 72 hours to supervisory authority; without undue delay to data subjects | No federal mandate; varies by state (some have 30-60 day requirements) |
| Data Transfer Restriction | Transfers to "inadequate" countries restricted unless safeguards in place | No explicit restriction on international transfers |
| Right to Erasure | Yes ("right to be forgotten" under specific conditions) | No; student records must be retained per state requirements |
| Data Protection Officer | Required for public authorities (including public schools) | Not required but recommended |
| DPIA Required | Yes for high-risk processing (including new technology implementations) | Not explicitly required but good practice |
đź’ˇ Key Insight: GDPR is generally more prescriptive and imposes stricter requirements than FERPA. European schools migrating data must comply with GDPR even if they also follow FERPA-like principles.
Data Protection Impact Assessment (DPIA) Template
Under GDPR Article 35, schools must conduct a Data Protection Impact Assessment before processing that is "likely to result in a high risk" to data subjects. Implementing a new SIS/LMS or migrating data to a different system typically triggers this requirement.
DPIA Template for School Data Migration
Section 1: Description of Processing
- What data is being migrated? (Student records, grades, attendance, health information, etc.)
- From what system to what system? (Old SIS → New SIS)
- How many data subjects? (Number of students and parents affected)
- Migration method? (CSV export/import, API, vendor-managed)
- Data retention after migration? (Will old system data be deleted?)
Section 2: Necessity and Proportionality
- What is the lawful basis for processing? (Public task, legitimate interest, consent)
- Is the migration necessary for school operations?
- Could the same outcome be achieved with less data or lower risk method?
Section 3: Risk Assessment
- Likelihood of breach: Low/Medium/High (justify)
- Severity of impact if breach occurs: Low/Medium/High
- Overall risk level: Low/Medium/High
- Specific risks identified: Unauthorized access during transfer, data corruption, incomplete transfer, vendor data breach
Section 4: Mitigation Measures
- Encryption in transit (TLS 1.2+ or SFTP)
- Encryption at rest (AES-256)
- Access controls (time-limited credentials, MFA)
- Vendor DPA in place (includes GDPR Article 28 clauses)
- Audit logging enabled
- Data minimization (only migrating necessary fields)
Section 5: Consultation
- Has the Data Protection Officer been consulted? (Yes/No/Not Required)
- Has the supervisory authority been consulted? (If high risk cannot be mitigated)
- DPIA sign-off by: __________________ (Head of School/DPO)
- Date: __________________
Data Subject Rights During Migration
GDPR grants individuals specific rights that schools must accommodate even during migration periods. Failure to do so can result in complaints to supervisory authorities.
Rights Applicable During Migration
- Right to Access (Article 15): Parents/students can request a copy of their data. Your migration processes must not prevent timely fulfillment of access requests.
- Right to Rectification (Article 16): Parents/students can correct inaccurate data. If data is in transit, you may need to pause migration or handle corrections post-migration with clear communication.
- Right to Erasure (Article 17): Under specific conditions (e.g., data no longer needed, consent withdrawn). Significant for schools that no longer need to retain data of former students.
- Right to Restrict Processing (Article 18): Parents/students can request processing be limited while disputes are resolved.
- Right to Data Portability (Article 20): The right to receive data in a structured, commonly used, machine-readable format. This is essentially the school's right to migrate data out—ironically, the same right schools use to leave vendors.
đź’ˇ Pro Tip: Include information about the migration in your school's privacy notice. Update the notice before migration begins to inform parents/students about the new system, data flows, and how to exercise their rights during the transition.
International Data Transfers (EU to US)
One of the most complex GDPR issues for schools is transferring student data outside the EU. Many cloud SIS and LMS providers are US-based companies (PowerSchool, Canvas, Schoology, Infinite Campus).
Legal Transfer Mechanisms
- EU-US Data Privacy Framework (DPF): The newest adequacy decision (July 2023). US companies can self-certify. Check if your vendor is listed at dataprivacyframework.gov.
- Standard Contractual Clauses (SCCs): If vendor is not DPF-certified, you must sign SCCs (European Commission-approved contract terms) with them.
- Binding Corporate Rules (BCRs): For multinational school groups with intra-group transfers (complex, expensive, rare for individual schools).
- Derogations (limited use): Explicit consent from parent/student (but can be withdrawn, not reliable for ongoing processing).
Questions to Ask US-Based SIS Vendors
- Are you certified under the EU-US Data Privacy Framework? (Get certificate number)
- If not, will you sign Standard Contractual Clauses (SCCs) as part of our DPA?
- Where is your primary data hosting location? (US, EU, other)
- Do you offer EU data hosting options? (Some vendors now offer "EU region" hosting)
- Have you conducted a Transfer Impact Assessment (TIA) for EU data?
⚠️ Important: The previous EU-US Privacy Shield was invalidated (Schrems II ruling). The new Data Privacy Framework is being challenged. For the highest legal certainty, also require SCCs even if vendor is DPF-certified.
Breach Notification Requirements (72 Hours)
Under GDPR Article 33, data controllers (the school) must notify their supervisory authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to data subjects.
What Constitutes a Breach During Migration?
- Unauthorized access to student data during transfer (e.g., unencrypted file intercepted)
- Vendor data breach affecting school data
- Data corruption or loss (if it affects data subjects)
- Inadvertent disclosure (e.g., email sent to wrong recipient containing student data)
- System misconfiguration exposing student data
Breach Response Plan for Migration
- Immediate (First hour): Contain the breach, preserve evidence, notify DPO
- First 24 hours: Assess risk to data subjects, determine if notification required
- First 48 hours: Draft notification to supervisory authority, begin remediation
- Within 72 hours: Submit breach notification to supervisory authority (or explain delay)
- Without undue delay: Notify affected data subjects if high risk to their rights
Information to Include in Breach Notification
- Nature of the breach (what happened, when, what data involved)
- Contact point for more information (DPO or school contact)
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Recommendations for data subjects to mitigate potential harm
Lawful Basis for Processing Student Data During Migration
Under GDPR Article 6, you must have a lawful basis for processing student data. Migration activities are processing and require a basis.
Most Relevant Lawful Bases for Schools
- Public Task (Article 6(1)(e)): Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority. This is the primary basis for public schools.
- Legitimate Interests (Article 6(1)(f)): Processing necessary for legitimate interests pursued by the school (e.g., efficient administration). Must balance against rights of data subjects.
- Consent (Article 6(1)(a)): Not recommended for core processing as it can be withdrawn. Use only for non-essential processing (e.g., photo use).
- Legal Obligation (Article 6(1)(c)): Processing necessary to comply with law (e.g., state attendance reporting).
đź“Ś Key Takeaway: Most public schools will rely on "Public Task" as the lawful basis for migration. Document this basis in your DPIA and privacy notice. Private schools typically rely on "Legitimate Interests" or "Contract" (with parents).
GDPR Migration Compliance Checklist
Pre-Migration (4-6 Weeks Before)
- Designate or consult Data Protection Officer (DPO)
- Complete Data Protection Impact Assessment (DPIA) for new system and migration
- Sign Data Processing Agreement (DPA) with all vendors (new SIS, migration consultant, backup provider)
- Verify legal transfer mechanism for any data leaving EU (DPF certification or SCCs)
- Update school privacy notice to include migration and new system
- Document lawful basis for processing (Public Task or Legitimate Interests)
- Map all data flows (source → transformation → target → storage → deletion)
During Migration
- Enable full audit logging of all data access during migration
- Encrypt data in transit (TLS 1.2+ or SFTP)
- Encrypt data at rest (AES-256) in both source and target
- Use time-limited credentials for vendor access
- Process only minimum necessary data (data minimization)
- Have breach response plan ready (including 72-hour notification template)
Post-Migration
- Securely delete migrated data from temporary storage
- Document retention periods for data in new system
- Respond to any data subject access requests received during migration
- Update data processing records (Article 30 record of processing activities)
- Schedule annual review of DPIA and vendor DPAs
📌 Key Takeaway: GDPR compliance for migration requires documentation (DPIA, DPAs, transfer mechanisms), transparency (updated privacy notice), and security (encryption, access controls, breach response). The 72-hour breach notification clock is unforgiving—prepare templates in advance.
Use our free migration planner to track your GDPR compliance checklist.
Launch Migration Planner →