An international school is, by definition, a place where data moves. Families arrive from one country, students transfer to universities in another, and the operations team supports staff across multiple time zones. The General Data Protection Regulation does not ask schools to stop that movement; it asks them to be transparent and accountable about it. Borderset is built so that international schools can meet GDPR obligations as part of their normal week rather than as a separate emergency project.
Pick a lawful basis you can actually defend
GDPR requires a lawful basis for every category of student data you process. For most school records, that basis is "performance of a contract" with the family or "legitimate interest" in delivering education — not blanket consent. Document the basis once per data category, store it in your records of processing, and revisit it when the curriculum or vendor list changes. A clean school management system like Borderset gives you one place to anchor that mapping instead of stitching it across email threads.
Data residency and transfers
When student data leaves the European Economic Area, you need a recognized transfer mechanism: standard contractual clauses, adequacy decisions, or binding corporate rules. Ask your vendors where they host data, where their support staff sit, and which subprocessors they rely on. Borderset publishes that information on its security and compliance page so families and inspectors can verify the chain in minutes.
DPIAs without the drama
A Data Protection Impact Assessment sounds heavy but works best as a structured conversation. List the new processing activity, the data involved, the risks to students, and the controls that reduce those risks. Reuse the same template each year. Pair it with student tracking reports to show what is captured and who sees it.
Operationalize parent and student rights
Access, rectification, erasure, restriction, portability, objection. Each right has a one-month default response window, and missing it can trigger regulator attention. Build a single inbox for data requests, route them to one named owner, and use audit logs to prove you delivered. Borderset's role-based exports let an operations lead produce a portable record without exposing teacher notes that should stay internal. Pairing this with parent portal communication aligned to family expectations keeps requests rare and routine.
Growth complicates this picture quickly. A network that scales across borders inherits new regulators with every campus opening. Read the Level Up case study to see how one group moved from two to nine campuses on Borderset while keeping a defensible privacy posture.
A common failure mode for international schools is the "shadow integration": a teacher signs up a free tool, uploads a class roster, and forgets about it. Six months later, that vendor's privacy policy quietly changes. Avoid this by giving teachers a short, sanctioned list of approved tools and a one-line escalation path for new requests. Borderset's central student record means a teacher rarely needs to leave the platform to do their job, which removes most of the motivation to spin up a side tool in the first place.
Communication style matters under GDPR too. Privacy notices should be written for the youngest reader who can plausibly understand them — usually around age twelve — and translated into the working languages of your community. Schools often pair their privacy notice with the same warm, role-aware tone they use in everyday parent updates, which makes the document feel like an invitation to ask questions instead of a warning. That cultural choice often does more for compliance than another technical control.
GDPR rewards schools that treat compliance as part of operations rather than a paperwork ritual. Anchor it in your school management system, document decisions as you make them, and the next inspection becomes a conversation rather than a scramble.