EdTech Supplier Data Security: Your Questions Answered
Schools use dozens of EdTech tools — and every one that handles pupil data is a potential supply chain risk. The MOVEit breach (2023), Pearson breach (2018), and Capita breach (2023) have demonstrated that EdTech supply chain failures can expose pupil data even when the school's own systems are secure. This FAQ answers the questions school DPOs, IT leads, and business managers ask most frequently about managing EdTech supplier data security.
UK schools use an average of 50+ EdTech tools — each processing pupil data creates a supply chain risk that schools remain legally responsible for under UK GDPR.
The EdTech Supply Chain Risk Landscape
Schools are data controllers for pupil data they share with EdTech vendors. Under UK GDPR Article 28, schools must only work with processors that provide "sufficient guarantees" of appropriate security. In practice, this means: - A DPA must be in place before any personal data is shared - The school must conduct meaningful due diligence on the vendor's security practices - The school cannot simply accept the vendor's standard terms without review - Free tools are not exempt — if they process personal data, full obligations apply Many schools discover during a security review that they have dozens of active EdTech vendor relationships without adequate DPAs.
What Security Certifications to Ask Vendors For
When assessing EdTech vendors, ask for evidence of these certifications: - **Cyber Essentials or Cyber Essentials Plus**: the UK government's baseline — a minimum expectation for UK-based vendors - **ISO 27001**: international information security management standard — provides strong assurance for larger vendors - **SOC 2 Type II**: common for US-based EdTech vendors — independent audit of security controls - **IASME Governance**: useful for smaller UK EdTech vendors — combines GDPR and security assessment Certifications alone are not sufficient — they must be current and cover the systems processing school data. Ask for the certificate scope to verify it covers the relevant services.
What a DPA Must Contain
Under UK GDPR Article 28, every DPA with an EdTech vendor must include: - Processing only on the school's documented instructions - Confidentiality obligations for everyone with access to school data - Appropriate technical and organisational security measures - Sub-processor management (vendor must inform school before using sub-processors) - Assistance with data subject rights requests - Deletion or return of data at the end of the contract - Audit rights for the school - Notification of any data breach (ideally within 24 hours to allow the school to meet the 72-hour ICO window)
Frequently Asked Questions
Do we need a DPA with every EdTech vendor including free tools?
Yes, if the free tool processes personal data on behalf of the school. Many free EdTech tools are supported by advertising or data monetisation that may not be compatible with UK GDPR. Schools must review the terms of any free tool that accesses pupil data to determine whether a DPA is available and whether the tool's data practices are lawful. If a vendor cannot provide a DPA, the school should not use that tool for processing personal data.
What should we do when an EdTech vendor notifies us of a breach?
Act immediately. Assess what data of yours the vendor held and whether it was in scope of the breach. If personal data of pupils, staff, or parents was involved, assess whether the breach is likely to result in risk to individuals — if yes, notify the ICO within 72 hours (from when you became aware). Notify affected individuals where the risk is high. Review the DPA for the vendor's breach notification obligations and any liability provisions. Document all decisions.
Can we use a vendor based outside the UK?
Yes, but with additional safeguards. Transferring personal data to a country outside the UK and EEA requires either: adequacy regulations (the UK government has recognised certain countries as providing adequate protection); standard contractual clauses (UK SCCs or the ICO's International Data Transfer Agreement); or binding corporate rules. For US-based EdTech vendors, the UK-US Data Bridge (if the vendor is certified) provides a transfer mechanism. Always check the legal basis for the transfer before using a non-UK vendor.
How should we assess a new EdTech tool before letting teachers use it?
Before approving any new EdTech tool that will access pupil data: check whether it processes personal data; ask the vendor for their privacy policy, DPA, and security certifications; review where data is stored; assess whether the vendor's data practices are compatible with UK GDPR; obtain a signed DPA; add the tool to the school's ROPA; and brief the relevant teachers on appropriate use. This process should be documented so the school can demonstrate due diligence if the ICO ever investigates.
Automate EdTech vendor risk assessment across your school or MAT
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.