GDPR for School Administrators: What Data Sovereignty Actually Means
GDPR compliance in schools is often treated as a legal checkbox. Data sovereignty is something different — and more important. Here's what it actually means in practice.
When GDPR came into force in 2018, most schools responded the same way.
They updated their privacy policy. They added a cookie banner to the website. They sent a letter home to parents. They ticked the boxes, filed the paperwork, and moved on.
That was a reasonable response to an urgent legal deadline. It wasn’t the same thing as data sovereignty — and for schools handling student records, the difference matters.
GDPR compliance and data sovereignty are not the same thing
GDPR compliance is a legal baseline. It describes the minimum obligations your school must meet to avoid regulatory action.
Data sovereignty is a practical condition. It describes whether your school actually controls the data it is responsible for — where it lives, who can access it, and what happens to it when circumstances change.
A school can be technically GDPR compliant — with signed data processing agreements, a registered data protection officer, and an up-to-date record of processing activities — and still have very little real control over its student data.
This is more common than most school administrators realise.
Where the gap appears
Consider a typical scenario.
A school uses a student information system provided by a SaaS vendor. The vendor has a data processing agreement in place — GDPR compliant on paper. But the data itself lives on the vendor’s servers, in a data centre the school has never seen, in a country the school may not be aware of.
The school cannot export the data in a usable format without the vendor’s cooperation. It cannot verify independently that the data is being stored securely. It cannot guarantee that a student’s records will be fully deleted if a parent invokes their right to erasure — because deletion on the vendor’s platform may not mean deletion from their backups.
The school signed a compliant contract. But the school doesn’t own its data in any meaningful sense.
What student data is actually at stake
It’s worth being specific about what schools hold, because the sensitivity is easy to underestimate.
Student information systems typically contain names, addresses, and contact details for minors. Academic records spanning multiple years. Attendance data. Behavioural and disciplinary records. In many cases, information about learning needs, medical conditions, and family circumstances.
This is not generic business data. It is sensitive personal data about children — the most protected category of individuals under EU law.
The obligation to handle it carefully isn’t just legal. It’s a reasonable expectation from every family who trusts a school with their child’s information.
What data sovereignty looks like for a school
A school that genuinely owns and controls its data can answer the following questions with confidence:
Where is our student data stored? In an EU data centre, on infrastructure the school controls or has specifically contracted for that purpose.
Who can access it? Only authorised staff, under defined conditions, with access logs that can be reviewed.
Can we export it? At any time, in a usable format, without depending on a vendor’s cooperation.
Can we delete it completely? Yes — including from backups — when legally required to do so.
What happens if our software provider shuts down? The data remains accessible and under the school’s control, because it was never solely in the vendor’s hands.
If a school can answer all five questions clearly and confidently, it has data sovereignty. If any answer is uncertain, it has compliance paperwork — which is a different thing.
The practical path forward
Moving toward genuine data sovereignty doesn’t require replacing everything at once. It starts with understanding your current position.
Map the tools your school uses. For each one, establish where the data lives, what your data processing agreement actually guarantees, and what your options would be if you needed to leave.
Most schools find that this exercise produces a clearer picture than they had before — and identifies one or two systems that carry more risk than the others.
From there, the conversation becomes practical rather than abstract. Which systems handle the most sensitive data? Which ones have the weakest contractual protections? Where does the risk-to-effort ratio of making a change make the most sense?
Why this matters beyond compliance
Schools that take data sovereignty seriously are better positioned on every dimension that matters.
They can respond to parent requests quickly and completely. They carry less regulatory risk. They are less exposed when vendors change their terms, raise their prices, or shut down unexpectedly.
And they can say, with genuine confidence rather than legal formality, that they take the protection of their students’ information seriously.
That’s worth more than a checkbox.
If your school is working through these questions and wants to understand what vendor-free infrastructure might look like in practice, I’m happy to talk through it.
Connect on LinkedIn or reach out directly at hi@madalin.me.
Madalin
AI integrator🚀 Senior Architect | SRE & Database Expert | AI Orchestrator 👋 Building the future at the speed of thought. ⚡️ I don't just write code; I architect high-performance, bulletproof ecosystems. With a foundation in Systems Engineering and a mastery of Go and TypeScript, I bridge the gap between heavy-duty backend reliability and seamless, high-conversion frontends.
Continue the conversation
If this article reflects the challenges your organisation is navigating, explore more practical guidance across Madalin.