How to assess and contract EdTech suppliers so schools meet UK GDPR requirements.
Third‑party risk is now one of the most common contributors to data incidents in schools and trusts. Taking a structured approach to assessing EdTech and ICT suppliers helps protect pupils’ and staff data, demonstrate compliance, and reduce disruption when something goes wrong.
Begin by clarifying roles. In most cases, schools and MATs act as the data controller, while EdTech providers act as data processors. Some suppliers may be joint controllers, depending on how the service is designed and how decisions about data are made.
Your due diligence should map:
the data being processed
the purposes and lawful bases
where the data flows and is stored
Alongside this, test the supplier’s security, resilience and transparency. Look for:
independent assurance (e.g. Cyber Essentials, ISO 27001)
clear breach notification commitments
transparency around sub‑processors
data residency information
robust access controls and authentication
Using public sector buying principles as a benchmark will help you keep expectations realistic but firm.
The Government’s Digital, Data and Technology Playbook sets out good commercial practice for digital services, including supplier assurance and security expectations. For education specific expectations, review the Department for Education guidance on data protection and MIS procurement, particularly around security, contractual safeguards and exit planning (for example, Data protection in schools and MIS commercial considerations).
These sources can help school and Trust leaders, governors and DPOs set consistent, defensible standards when assessing suppliers.
Due diligence is most effective when it is repeatable. Turn your checks into a structured questionnaire and evidence pack that you can reuse across suppliers.
Ask each supplier to confirm their role (controller/processor) and provide a Data Processing Agreement (DPA) that aligns with UK GDPR and your policies.
Request clear information on technical and organisational measures, including:
multi‑factor authentication for administration consoles
encryption in transit and at rest, and how keys are managed
backup and restore testing, including frequency and scope
vulnerability management and patching cadence
endpoint and server hardening
logging, monitoring and alerting
Incident detection and response processes. look for evidence of:
staff vetting and regular training on data protection, confidentiality and security awareness
least privilege access controls
separation between production, test and development environments
And lastly:
Ask for certificates and reports where they exist (for example, ISO 27001 certificate and statement of applicability, Cyber Essentials or Cyber Essentials Plus) and any recent penetration testing or audit summaries.
Request a list of sub‑processors and how you will be notified about changes.
Check data flows and residency: where pupil, staff and parent data will be stored and processed, whether international transfers are involved, and which safeguards apply.
Clarify how long logs and backups are retained and whether customer‑managed encryption keys are available.
Test “privacy by design” in practice: are there sensible data‑minimisation defaults, safe analytics configurations, and the option to disable invasive features such as detailed behavioural profiling?
Where possible, connect your due diligence questions to your RoPA and DPIA processes, so information collected once supports multiple records and assessments.
Do not overlook operational resilience: review SLA uptime commitments, recovery time and recovery point objectives (RTO/RPO), and how the supplier communicates and manages major incidents.
Public sector exemplars show that expectations are rising; schools can use these as a guide to raise the bar in a proportionate way.
Contracts should capture your expectations clearly and give you appropriate control. Your DPA should require the supplier to:
process data only on documented instructions
maintain confidentiality
implement agreed security measures
manage and disclose sub‑processors appropriately
assist with data subject rights requests
notify you of personal data breaches without undue delay
support DPIAs where their service is involved
securely delete or return data at the end of the contract
Where appropriate, include audit and assurance rights (on a reasonable and secure basis), clear expectations around incident co-operation and evidence sharing, and obligations to notify you before making changes that materially increase risk.
For MIS and other core platforms, you should also require a practical exit plan, covering:
export formats and scope of data
migration support
a defined timetable and method for verified deletion
Check that any cyber insurance arrangements held by the supplier do not dilute or restrict their obligations in the event of a breach.
Onboarding: complete the questionnaire, review evidence, and record a risk rating that is proportionate to the service. For high risk tools (for example, safeguarding, communications, identity or AI enabled services), complete a DPIA and involve IT to validate key controls.
In life: monitor changes to the service, including sub processor updates, significant new features (especially AI‑related features) and any service incidents affecting availability or data. Schedule an annual refresh of key evidence and use periodic spot checks to confirm that access controls and logging remain effective.
MAT governance: in a Trust, centralise baseline checks and maintain an approved supplier list and model clauses. Individual schools can then adopt these standards, recording any local variations where needed.
This approach keeps procurement efficient while maintaining a clear line of sight over risk. It also ensures you have the evidence you need to respond confidently to governors, boards and regulators, and makes your next audit significantly easier.
If you're looking to save time and simplify your supplier due diligence GDPRiS can help, contact us today.