Every time a school adopts a new system that processes pupil data — a new learning platform, a new management system, a new way of using data — it takes on new privacy risk. A Data Protection Impact Assessment (DPIA) is the tool that identifies and manages that risk before it materialises. This article explains what a DPIA is, when schools must complete one, and how to carry one out well.
Quick summary
- A DPIA is a structured assessment of the privacy risks of a processing activity, and how to mitigate them.
- Schools must complete a DPIA for processing likely to result in high risk to individuals — often the case with children’s data and new EdTech.
- A DPIA is a core expression of privacy by design.
- Done before launch, it protects pupils and demonstrates accountability.
What is a DPIA?
A DPIA is a process to identify, assess and reduce the data protection risks of a project or system. It documents what data will be processed, why, what could go wrong, and how the school will mitigate those risks. Under UK GDPR, DPIAs are a key part of the accountability and privacy by design principles.
Think of it as a privacy risk assessment carried out before processing begins, so risks are designed out rather than discovered later.
When must a school complete a DPIA?
A DPIA is required where processing is likely to result in a high risk to individuals’ rights and freedoms. The ICO identifies triggers that commonly apply in schools, including:
- Processing children’s data at scale (schools do this by definition).
- Large-scale processing of special category data (health, safeguarding).
- Using new technologies (such as new EdTech or AI tools).
- Systematic monitoring (such as online monitoring or profiling).
Because schools process children’s and sensitive data extensively, DPIAs are a regular and important part of good data governance — particularly when adopting a new platform.
What a DPIA covers
A thorough DPIA typically documents:
- The processing — what data, for what purpose, and how.
- Necessity and proportionality — is the processing justified and minimised?
- The risks — unauthorised access, breaches, inaccurate data, profiling, and their impact on individuals.
- Mitigations — the safeguards that reduce each risk (security, minimisation, access controls, transparency, retention).
- Sign-off and review — who approved it, and when it will be reviewed.
How to carry out a DPIA: a practical process
- Describe the processing — data, purpose, scope and context.
- Consult relevant people, including your DPO and, where appropriate, those affected.
- Assess necessity and proportionality — is there a less intrusive way?
- Identify and rate risks — to pupils’ privacy and rights.
- Identify mitigations — the measures that reduce each risk.
- Record the outcome — including any residual risk and sign-off.
- Review — update the DPIA as the processing or risks change.
DPIAs and EdTech adoption
Adopting a new EdTech platform is a classic DPIA trigger. A good DPIA for EdTech examines how the provider handles data, its security, where data is stored, retention, and data subject rights — connecting directly to Choosing GDPR-Compliant EdTech Platforms and Questions Schools Should Ask Every EdTech Provider. A provider that has already conducted its own DPIA makes the school’s assessment far easier.
Frequently asked questions
What is a DPIA?
A Data Protection Impact Assessment — a structured process to identify and reduce the privacy risks of a processing activity before it begins.
When must a school do a DPIA?
When processing is likely to result in high risk — which commonly includes processing children’s data at scale, special category data, new technologies, and systematic monitoring.
Do we need a DPIA for new EdTech?
Usually yes. Adopting a new platform that processes pupil data is a common DPIA trigger.
Who should be involved in a DPIA?
The project lead, the DPO, and where appropriate those affected or their representatives.
What does a DPIA achieve?
It designs privacy risk out before processing begins, protects pupils, and demonstrates accountability.
Does a provider’s own DPIA help?
Yes. A provider that has conducted and can share its own DPIA makes the school’s assessment more straightforward.
Conclusion
A DPIA is the tool that turns “we should think about privacy” into a documented, decision-ready assessment — carried out before processing begins, so risks are designed out. For schools, which process children’s and sensitive data by nature, DPIAs are a regular and essential part of good data governance, especially when adopting new technology. Done well, they protect pupils and demonstrate the accountability GDPR requires.
How AI Buddy supports schools
A school’s DPIA for a new platform is far easier when the provider has already assessed its own privacy risks. AI Buddy is built by Tutopiya with a documented Data Protection Impact Assessment as part of its governance — identifying risks such as unauthorised access, breaches and profiling, and setting out mitigations including data minimisation, encrypted AWS hosting, pseudonymisation, consent and transparency, retention with anonymisation, and defined data-subject rights. Designed to support schools in strengthening areas evaluated during Ofsted inspections, this makes a school’s own DPIA more straightforward. AI Buddy is not endorsed or certified by Ofsted; it is built to make privacy assessment easier for the schools it serves.
Discover how AI Buddy helps schools strengthen teaching, learning and evidence-informed school improvement. Or start a short consultation with our schools team using the form below.
Sources
- Information Commissioner’s Office, Data protection impact assessments (DPIAs) (ICO)
- Information Commissioner’s Office, UK GDPR guidance and resources (ICO)
- Department for Education, Data protection in schools (GOV.UK)
- Data Protection Act 2018 (legislation.gov.uk)