Schools marketers are feeling the tension with the GDPR changes coming into effect on 25 May 2018 and in this article, I work through practical data protection for schools. Before I get into it, take note that Australian Schools can take a deep breath because legally speaking it only applies if you are controlling or processing any data of people in the EU and UK. Practically though, we should be taking every measure possible to ensure that we are looking after our parents and prospects data and empowering people to choose how their data is used. Global online marketing is moving towards increased protection and transparency and it’s good practice to get ahead of the game.

Remember to join the discussion in the  Marketing Mastery For Schools Facebook Group.

I’ve covered the key areas that require attention including your email marketing, website and pay-per-click advertising:

Email marketing


  • Don’t subscribe people to a list they didn’t opt-in for: If people are opting in to receive a free resource but you intend to add them onto your marketing list to receive regular updates, then you should add a tick box where they can expressly opt-in to receive regular updates. See the example below (thanks to Active Campaign):
  • Having a link to yourprivacy statement in your website’s footer isn’t enough, you should also have it available at the bottom of the form at the point of sign up (see the example above).
  • Don’t use pre-ticked boxes, the user has to actually tick any form boxes themselves.
  • Opt-out as a means of subscribing people to your list is a no-no. For example, don’t say: “if you would rather not receive emails from us tick the box to opt-out.” There should rather always be a positive affirmative action taken by the user.
  • Always have an unsubscribe link in every bulk email (yes, even if the email to parents).
  • Don’t send bulk emails from your personal email account – they’ll have poor deliverability and don’t provide the option for people to opt-out.
  • Be careful about sharing email address and parent details with others – including parent volunteers and business that may want to contact your parents.
  • Don’t continue to email people that have unsubscribed from your list.
  • Remove people that have been inactive in your email list for the past 5 years.


Facebook and Google Advertising

If you are using the Facebook pixel you can continue to do so with a few precautions:

  • Make sure you have pixel policy within your Privacy policy linked in the footer of your website.
  • Use ‘lookalike’ audiences very cautiously. Technically speaking, the base data that is used o create a lookalike audience can only be used if there is express consent specifically for creating lookalike audiences. This is a grey area for the online marketing industry that needs further clarification.


Website Compliance

  • If you are using the Facebook Pixel or retargeting website visitors, have a header or footer bar that gives people the opportunity to expressly consent to their data being used. See the example below (thanks to Google).
  • Make sure that your remarketing platform (Facebook or Google) is set up to only retarget to people that consented. A useful guideline on how this can be done can be found here.
  • Make sure you have a privacy statement in the footer of your website (or visible on every page of your website) detailing which data you collect and how you intend on using that data.


Practical Application

  • Train Staff in data protection habits. Generally, they should not:
    o Take files containing personal information home
    o Download customers files to their personal pcs or delete any files directly after they are used.
    o Bulk email parents from their email address..
  • Make sure that any agencies that have access to your data are GDPR compliant as data processors. Give them the GDPR checklist that they should comply with. DO NOT use agencies that setup advertising outside of our ad accounts that you own and control.
  • Software that you use should also be GDPR compliant as they are considered data processor or owners. There is not yet a ‘certificate’ for GDPR compliance, but many of the large companies have issued GDPR compliance statements that you should look out for.

I’ve prepared a downloadable checklist for you to give to staff, suppliers and agencies; accessible in the marketing toolkit below.

I hope that this guide helps you put your mind at rest about GDPR compliance and also helps you take practical steps in protecting your data and community!



Access The GDPR Compliance Checklist

A pratical check list for school staff, agencies and third parties.

Join the Marketing Mastery For Schools Facebook Group

Subscribe to the Schools Marketing Newsletter

More Schools’ Marketing Blog Posts

Digital Marketing Strategy for Schools

Digital Marketing Strategy for Schools

The key to executing a successful digital marketing strategy for schools is planning for success. A digital marketing strategy will continue to work hard for your school if planned, developed and executed in a way that’s carefully considered, as well as data-driven.

Private School Marketing Strategies

Private School Marketing Strategies

What private school marketing strategies do you have in place? The strategies are the key to targeting an audience who is actively looking to enrol their child in a private school, resulting in a much higher return on investment.

SEO For Schools

SEO For Schools

SEO for schools may be the biggest untapped potential source of enrolments for you. Search rankings are continuously changing and so is SEO practice. This article is a comprehensive go-to article for school marketers that includes everything you need to know to start out in SEO for schools.

Request Your Free Strategy Call Today

Please complete your details so we can book your appointment...

You have Successfully Subscribed!

jjjkkkjRequest Your Free Strategy Call Today

Please complete your details so we can book your appointment...

You have Successfully Subscribed!