call: +44 (0)1908 336555

7 things schools need to know about Consent to be GDPR-compliant

Under the GDPR, there are six lawful bases for processing data, one of which is consent – schools must be able to justify their processing with at least one of these bases. This guidance outlines the key information schools need to know to ensure their consent procedures are compliant with the GDPR.

7 things schools need to know about consent

1. Consent isn’t always needed

It is often assumed that you must always have consent to be able to process personal data – this is not true. Consent is only one of six lawful bases and, in the case of schools, consent is not likely required for the core purpose operations of running the school. Consent is, however, likely to be required for non-core operations, such as marketing.

Consent is the most lawful bases to use when you want to offer individuals a genuine choice over how you use their data. For example, consent would need to be obtained where the school wishes to use pupils’ photographs in a school magazine – there is no other lawful basis to process this data; therefore, consent must be obtained.

If you cannot offer a genuine choice over how the school uses an individual’s data, then consent is not the appropriate processing basis – this may be the case in the following instances:

  • You would still process the data on a different lawful basis if consent was refused or withdrawn
  • You ask for consent to the processing as a precondition of a service the school offers
  • You are in a position of power over the individual – this predominantly affects public authorities and employers processing employee data

For example, consent would not need to be obtained to process data that the school provides to the DfE as part of the census data collection – this is a legal obligation; therefore, the data can be processed lawfully without consent.

2. Consent must be freely given

Consent that is not freely given is invalid under the GDPR. This means that a data subject must be able to refuse their consent without being penalised and must be able to withdraw their consent at any time.

If an individual withdraws their consent, you need to cease the processing of that subject’s data as soon as possible.

3. Consent must be specific and informed

For consent to be specific and informed, the following must be covered when obtaining consent:

  • The identity of the school and any other third-party data controllers relying on the consent – you don’t need to name your processors in consent requests
  • All purposes for which you are seeking consent – where possible, these should be granular
  • The exact processing activities that are being consented to – where possible, you should provide granular consent options for each separate processing types
  • The individual’s right to withdraw their consent at any time and how to do so
    The rules around consent requests are separate to your transparency obligations under the ‘right to be informed’ – this should be covered by privacy notices.

Any requests for consent must be written in easy-to-understand age-appropriate language. Requests that use vague, sweeping or difficult to understand language will be invalid; so, make sure your requests are clear and concise, and don’t use any double negatives or inconsistent language.

This article is an extract republished with the kind permission of


“Managing parental consent was always been such a headache and now with GDPR it’s worse”

mySchoolApp now offers Parental consent management as an optional module.

Full details of this time-saving GDPR-compliant solution can be found here