GDPR Data Protection For Schools

Schools marketers are feeling the tension with the GDPR changes coming into effect on 25 May 2018 and in this article, I work through practical data protection for schools. Before I get into it, take note that Australian Schools can take a deep breath because legally speaking it only applies if you are controlling or processing any data of people in the EU and UK. Practically though, we should be taking every measure possible to ensure that we are looking after our parents and prospects data and empowering people to choose how their data is used. Global online marketing is moving towards increased protection and transparency and it’s good practice to get ahead of the game.

Remember to join the discussion in the  Marketing Mastery For Schools Facebook Group.

I’ve covered the key areas that require attention including your email marketing, website and pay-per-click advertising:

Email marketing


  • Don’t subscribe people to a list they didn’t opt-in for: If people are opting in to receive a free resource but you intend to add them onto your marketing list to receive regular updates, then you should add a tick box where they can expressly opt-in to receive regular updates. See the example below (thanks to Active Campaign):
  • Having a link to yourprivacy statement in your website’s footer isn’t enough, you should also have it available at the bottom of the form at the point of sign up (see the example above).
  • Don’t use pre-ticked boxes, the user has to actually tick any form boxes themselves.
  • Opt-out as a means of subscribing people to your list is a no-no. For example, don’t say: “if you would rather not receive emails from us tick the box to opt-out.” There should rather always be a positive affirmative action taken by the user.
  • Always have an unsubscribe link in every bulk email (yes, even if the email to parents).
  • Don’t send bulk emails from your personal email account – they’ll have poor deliverability and don’t provide the option for people to opt-out.
  • Be careful about sharing email address and parent details with others – including parent volunteers and business that may want to contact your parents.
  • Don’t continue to email people that have unsubscribed from your list.
  • Remove people that have been inactive in your email list for the past 5 years.


Facebook and Google Advertising

If you are using the Facebook pixel you can continue to do so with a few precautions:

  • Make sure you have pixel policy within your Privacy policy linked in the footer of your website.
  • Use ‘lookalike’ audiences very cautiously. Technically speaking, the base data that is used o create a lookalike audience can only be used if there is express consent specifically for creating lookalike audiences. This is a grey area for the online marketing industry that needs further clarification.


Website Compliance

  • If you are using the Facebook Pixel or retargeting website visitors, have a header or footer bar that gives people the opportunity to expressly consent to their data being used. See the example below (thanks to Google).
  • Make sure that your remarketing platform (Facebook or Google) is set up to only retarget to people that consented. A useful guideline on how this can be done can be found here.
  • Make sure you have a privacy statement in the footer of your website (or visible on every page of your website) detailing which data you collect and how you intend on using that data.


Practical Application

  • Train Staff in data protection habits. Generally, they should not:
    o Take files containing personal information home
    o Download customers files to their personal pcs or delete any files directly after they are used.
    o Bulk email parents from their email address..
  • Make sure that any agencies that have access to your data are GDPR compliant as data processors. Give them the GDPR checklist that they should comply with. DO NOT use agencies that setup advertising outside of our ad accounts that you own and control.
  • Software that you use should also be GDPR compliant as they are considered data processor or owners. There is not yet a ‘certificate’ for GDPR compliance, but many of the large companies have issued GDPR compliance statements that you should look out for.

I’ve prepared a downloadable checklist for you to give to staff, suppliers and agencies; accessible in the marketing toolkit below.

I hope that this guide helps you put your mind at rest about GDPR compliance and also helps you take practical steps in protecting your data and community!

Join the Marketing Mastery For Schools Facebook Group

Subscribe to the Schools Marketing Newsletter

Our Portfolio

Join the Marketing Mastery For Schools Facebook Group

Subscribe to the Schools Marketing Newsletter