Back

Data Privacy and Security

Demonstrate your company’s commitment to protecting learner and institutional data by implementing transparent, robust, and continuously evolving data privacy and security practices.

Why: Education involves the processing of highly sensitive personal and institutional information—ranging from student identities and learning histories to teaching practices and organisational processes. Mishandling such data can swiftly erode trust and compromise educational autonomy. Upholding the principles of the General Data Protection Regulation (GDPR) and core European values—such as dignity, freedom, and transparency—is not merely a legal obligation, but an ethical imperative.

Data privacy is not a static goal, but a living responsibility. True data stewardship requires EdTech providers to embed protection not only in technical infrastructure, but across their organisation’s culture and workflows. This includes how employees access and process data, how rights and roles are assigned, and how institutions are informed and empowered. Clear communication with end users about data collection, usage, and rights fosters transparency and reinforces trust between technology providers and the educational community. By proactively addressing data privacy and security, EdTech companies safeguard the public good and support the long-term autonomy of education systems.

Maturity levels – Commitments to Data Privacy and Security

  1. Level Zero - Commitment to Legal Foundations: You commit to fulfilling all legal obligations regarding data protection, as outlined in the General Data Protection Regulation (GDPR) and other relevant frameworks. At this stage, your primary focus is on ensuring that data is processed lawfully and fairly. While your current procedures may still be developing, you are taking the necessary steps to put in place formal privacy policies, define your legal basis for data collection, and ensure that basic security measures—such as password protection and secure storage—are applied consistently. You acknowledge that compliance is the starting point, not the end goal.

  2. Junior Level - Commitment to Transparency and Responsibility: You commit to increasing transparency towards users and applying responsible internal data management practices. You provide clear information about which data is collected, the purpose of its use, and who has access to it. This information is written in understandable language and made available before any data processing begins. Internally, you introduce role-based access to personal data, supported by documented policies and procedures. Basic encryption is applied, and staff involved in handling data receive initial training on data protection responsibilities.

  3. Medior Level - Commitment to Embedded Practice and User Empowerment: You commit to embedding data protection principles into the core of our operations and digital products. You implement privacy-by-default in your systems and workflows. You conduct and review Data Protection Impact Assessments (DPIAs) where appropriate, particularly for sensitive features or new processing activities. Your team members are trained on a regular basis, and you maintain internal documentation to demonstrate compliance. You manage access using detailed role descriptions, maintain audit trails, and uphold the rights of users—such as access, rectification, and erasure—with timeliness and clarity.

  4. Senior level - Commitment to Privacy by Design and Organisational Culture: You commit to promoting a culture of data ethics and full accountability in all areas of your work. Privacy is fully integrated into product design, staff conduct, and governance structures. You make your privacy documentation accessible and meaningful to all stakeholders, including publishing summaries of DPIAs and audit outcomes. You regularly engage with third-party auditors and institutional partners to validate and improve your practices. Access rights are defined, managed, and reviewed across teams. Privacy awareness is part of your organisational mindset, and your users are equipped to understand and exercise their data rights confidently.

Good examples

  • Platforms that clearly communicate data purposes and legal bases prior to account creation, offering opt-in choices for analytics and non-essential processing.

  • EdTech companies conduct regular, independent data privacy audits and publishing outcomes in accessible formats.

  • Organisations that include data protection training as part of onboarding and offer continuous learning opportunities for staff.

Bad examples

  • "Free" educational apps that monetise student behaviour by selling usage data to third parties, without informed consent.

  • Services requiring the upload of sensitive personal information without encryption, access control, or stated purpose.

  • Companies with a single administrator account used by all employees, lacking role-based access or audit trails.

  • Emailing user data based on vaguely formulated requests by (supposed) customer.