Prospect Data Outside the EU: Which Tools Are Compliant in 2026?

Most UK private schools use Google Workspace, Meta Ads, and OpenAI without questioning where prospect data goes. The answer, in every case, is the United States — and the compliance question is not whether a transfer occurs, but whether you have documented the lawful mechanism for it. This article sets out the 2026 position for each major tool, based on current UK-US Data Bridge certification status and ICO guidance.

This article is for informational purposes only and does not constitute legal advice. For specific guidance on your institution's data transfers, consult your Data Protection Officer (DPO) or a specialist solicitor.

What data leaves the UK when you use these tools

Three categories of data flow to US servers the moment your school uses any mainstream marketing or productivity tool.

Prospect contact data — names, email addresses, phone numbers, and course enquiry details — is the most obvious. When a prospective student fills in a Facebook Lead Ad, Meta processes that submission on US infrastructure. When your admissions team records a conversation in Google Workspace, that data passes through Google's systems. The second category is behavioural data: the Meta pixel tracks every page visit and form interaction on your website and routes that signal data to Meta's US data centres for audience modelling. The third is conversational data: if your school uses OpenAI's API to power a chatbot or document-drafting tool, the text of each interaction — which may include a prospect's personal statement, circumstances, or financial questions — is transmitted to OpenAI's infrastructure.

The scale of this exposure is larger than most institutions realise. 58% of prospects engaging with schools are non-native speakers (Source: Automatic language detection across 8,500 Skolbot conversations, 2025–2026), meaning the majority of multilingual interactions flow through processing tools operated by US-based providers. A single open-day campaign can therefore result in hundreds of prospect records leaving the UK before a single human has reviewed them.

UK GDPR rules on international transfers

Under UK GDPR — the post-Brexit framework set out in the Data Protection Act 2018 — transferring personal data to a country outside the UK is lawful only where one of the Article 46 mechanisms is in place.

The UK has issued its own adequacy decisions, independent of the EU's. The most important for US-based vendors is the UK-US Data Bridge, which came into force in October 2023 and is the UK equivalent of the EU-US Data Privacy Framework (DPF). Under the Data Bridge, UK personal data may flow to certified US organisations without additional safeguards — but only if the receiving organisation has self-certified under the scheme and your transfer is within the scope of that certification. The ICO's guidance on international transfers sets out the UK-US Data Bridge certification requirements in full.

Where a US vendor is not Data Bridge-certified, the alternative mechanism is the UK International Data Transfer Agreement (IDTA) — the UK-specific replacement for the EU's Standard Contractual Clauses — or the UK Addendum to the EU SCCs. Either mechanism must be accompanied by a Transfer Risk Assessment (TRA), which is the UK equivalent of the EU's Transfer Impact Assessment (TIA). The TRA documents whether US surveillance law undermines the contractual protections in practice. The EDPB's guidance on international transfers provides a useful parallel reference, particularly for schools also processing EU data subjects' data (such as EU national prospects). Absent a valid mechanism and documented TRA, a transfer to the US is unlawful under UK GDPR Article 44.

Google Workspace, Meta Ads, OpenAI — compliance scorecard 2026

The three tools used by virtually every UK private school each have a different compliance profile. The table below summarises the current position.

Google Workspace for Education is the most straightforward case. Google is certified under the UK-US Data Bridge, offers a compliant Data Processing Addendum, and — critically — allows administrators to configure a data processing region that restricts data at rest to the EU or UK. Without configuring this region setting, data may be processed across Google's global infrastructure. Institutions that have signed the addendum and configured the EU/UK region are in a defensible compliance position. Check your Admin Console under Data regions to confirm the setting is active; it is not enabled by default.

Meta Ads is more complicated. Meta is certified under the UK-US Data Bridge for the data it processes as a controller, and its Business Tools Data Processing Terms provide a framework for its role as a processor of data collected via the pixel. However, the pixel operates by design as a broad behavioural tracking tool, and data collected via Lead Ads is processed on US infrastructure with no residency option. Meta's use of UK users' data to train AI models has been the subject of ongoing ICO scrutiny in 2025–2026. Schools should ensure that: (1) Meta's Data Processing Terms are accepted in Business Manager; (2) the pixel is loaded only after explicit cookie consent has been obtained; and (3) the privacy notice discloses Meta as a third-party processor with a link to Meta's Data Policy.

OpenAI has made the most significant compliance improvements for enterprise customers in the past 18 months. The API operates under a Zero Data Retention policy by default, meaning conversation data is not used to train models and is not retained beyond the immediate processing window. OpenAI offers a Data Residency for Europe option that restricts data at rest to European infrastructure, and the company is certified under the UK-US Data Bridge. For schools accessing OpenAI through the API with a signed Data Processing Addendum and the Europe residency option enabled, the compliance position is strong. Schools using the consumer ChatGPT product rather than the API do not benefit from these enterprise controls and should not use it for processing prospect data.

For a broader framework on vendor selection criteria, see our guide to GDPR-compliant chatbot vendors for schools.

What your school needs to do now

Five steps cover the majority of compliance exposure for a typical UK private school using these tools.

Step 1: Audit your tools against the UK-US Data Bridge register. The Department for Science, Innovation and Technology (DSIT) maintains a list of organisations participating in the UK-US Data Bridge. For every US-based tool your school uses that processes prospect personal data, check whether the vendor is certified and whether your specific data type falls within the scope of their certification. Tools not on the register need an alternative mechanism (IDTA or UK Addendum to EU SCCs).

Step 2: Confirm or establish a Data Processing Agreement with each vendor. Under UK GDPR Article 28, a signed DPA is mandatory before any processor handles personal data on your behalf. For Google Workspace, accept the Data Processing Addendum in your Admin Console. For Meta, accept the Business Tools Data Processing Terms in Business Manager. For OpenAI API, sign the Data Processing Addendum available in your account settings. Archive a copy of each signed agreement in your compliance records. Our guide on prospect data retention periods covers what else belongs in those records.

Step 3: Configure EU/UK data residency where available. For Google Workspace, set the data processing region to the European Union or United Kingdom in the Admin Console. For OpenAI API, enable the Data Residency for Europe option in your organisation settings. Neither setting is active by default. Document the date you made each configuration change.

Step 4: Update your privacy notice. Your public-facing privacy notice must disclose each international transfer: the identity of the recipient, the country to which data is transferred, and the safeguard in place (e.g., "Google LLC, United States — UK-US Data Bridge"). The ICO's accountability framework requires this disclosure to be specific, not generic. A sentence stating "we may share data with third parties in countries outside the UK" does not meet the standard. For detailed guidance on the full data protection framework, see our UK GDPR guide for schools.

Step 5: Document transfers in your Record of Processing Activities (ROPA). Your ROPA must include, for each processing activity involving an international transfer: the categories of data transferred, the recipient and country, the legal basis, and the transfer mechanism. The ICO can request your ROPA as part of an investigation or audit. Documenting each transfer at the time you establish the mechanism is significantly less burdensome than reconstructing the history after a complaint.

FAQ

Does UK GDPR apply to EU citizens studying in the UK?

UK GDPR applies based on where your institution is established, not the nationality of the data subject. If your school is established in the UK and processes data in the context of that establishment, UK GDPR applies — regardless of whether the prospect is a UK national, an EU citizen, or an international student. If your school also operates in an EU member state, or actively targets EU residents with marketing, EU GDPR may apply in parallel, meaning you may need to satisfy both frameworks simultaneously.

Is the UK-US Data Bridge stable enough to rely on in 2026?

The Data Bridge has been in force since October 2023 and has not faced the same legal challenge trajectory as the EU-US frameworks that were invalidated in Schrems I and Schrems II. However, the ICO and DSIT conduct periodic reviews of the arrangement. Prudent practice is to treat the Data Bridge as the primary mechanism but to ensure your DPAs also incorporate the UK IDTA as a fallback clause. This "belt and braces" approach means that if the Data Bridge were suspended or challenged, the IDTA continues to provide a lawful mechanism without requiring contract renegotiation.

What is a Transfer Risk Assessment and does my school need one?

A Transfer Risk Assessment (TRA) is the UK equivalent of the EU's Transfer Impact Assessment. It documents whether the laws and practices of the recipient country (in this context, the United States) undermine the protections in the transfer mechanism. The ICO does not require a TRA when relying solely on the UK-US Data Bridge — the government's adequacy assessment is deemed to have conducted this analysis. A TRA is recommended (and arguably required under the accountability principle) when relying on the IDTA or UK Addendum to EU SCCs. For most schools relying on the Data Bridge for Google, Meta, and OpenAI transfers, a TRA is not mandatory, but documenting your reasoning in the ROPA is good practice.

Can we use the EU Standard Contractual Clauses for UK data transfers?

Not directly. The EU SCCs were issued by the European Commission under EU GDPR and are not valid instruments under UK GDPR. For UK data transfers, the correct instruments are the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs (which layers UK-specific requirements on top of the EU SCCs). Many US vendors have signed the EU SCCs but not yet incorporated the UK Addendum. Review each vendor's DPA carefully — a contract that references only the EU SCCs is not a compliant mechanism for UK personal data.

Do we need to notify the ICO before transferring data to the US?

No prior notification to the ICO is required before making an international transfer, provided a lawful mechanism is in place. The obligation is one of documentation and accountability, not prior authorisation. However, if your institution suffers a personal data breach involving data transferred to the US, the ICO will expect to see evidence that the transfer was lawful and that the transfer mechanism was properly implemented. The notification obligation under UK GDPR Article 33 (72 hours for breach reporting) is not affected by the international dimension of the transfer.

The compliance position for Google Workspace, Meta Ads, and OpenAI is manageable in 2026 — but only with the paperwork in place. The most common failure mode for UK private schools is not using non-compliant tools; it is using broadly compliant tools without the DPAs, residency configurations, and ROPA entries that make those tools defensible. Five hours of compliance administration per vendor is a small overhead against the cost of an ICO investigation.