Data Transfer Outside the EU: A Guide for International Schools

Every school using a US-hosted SaaS is already transferring personal data internationally

When a prospect submits a contact form that feeds into your Salesforce CRM, that form submission travels to servers in the United States. When a student joins an online induction session on Zoom, their name and email address are processed on infrastructure outside the UK. These are international data transfers — and UK GDPR Chapter V requires a lawful mechanism for every single one.

58% of private school prospects are non-native speakers of the school's language, which means they are disproportionately international students whose data routinely crosses borders through CRM, chatbot, and marketing tools. (Source: Skolbot automatic language detection on 8,500 chatbot conversations, 2025–2026.) For schools recruiting globally, cross-border data flows are not an edge case — they are the default operating condition.

This guide sets out the UK GDPR framework, the tools schools commonly use, and a practical 90-day roadmap for compliance. For the broader context, start with our complete GDPR guide for student data.

What "international data transfer" actually means under UK GDPR

The definition is broader than most school IT teams assume. A transfer occurs whenever personal data is transmitted to, made accessible to, or otherwise processed by a recipient in a country outside the UK. This includes:

• Cloud storage and SaaS tools — data hosted on US or non-UK servers, even if you access it from a UK office
• Remote support and maintenance — a vendor's engineer in India accessing your database to troubleshoot an issue
• Email marketing platforms — subscriber lists held on servers in the US, Singapore, or Australia
• AI language models — if your chatbot sends conversation data to a US-based AI provider for processing

The key question the ICO asks is not where you are, but where the data goes. If your CRM vendor stores backups in an AWS region outside the UK, that is a transfer.

The post-Brexit picture: UK as a third country

Post-Brexit, the UK is no longer part of the EU's data protection regime. UK GDPR — the retained version of EU GDPR, amended by the Data Protection Act 2018 — now governs UK-based processing. This creates a two-directional complexity for international schools:

1. UK → outside UK: governed by UK GDPR Chapter V, enforced by the ICO
2. EU/EEA → UK: the EU granted the UK an adequacy decision (updated Keeling Schedule equivalent). EU institutions sending data to UK schools can rely on this, but it is subject to periodic review.

If your school recruits EU students whose data is collected via a French or Spanish partner campus and then transferred to your UK CRM, both directions are in scope.

UK GDPR Chapter V: the three mechanisms schools use

Adequacy decisions

The UK Secretary of State publishes a list of countries deemed to offer adequate data protection. Data flows to those countries require no additional safeguard. The current list includes all EU/EEA member states, Switzerland, and several others. The United States is not on this list — the EU–US Data Privacy Framework applies between the EU and the US, but the UK has its own separate US data bridge arrangement, which schools must verify is still current with the ICO. The European Commission publishes a parallel list of adequacy decisions under EU GDPR — useful if your school also processes data on behalf of EU partner institutions. The EDPB's SME international data transfers guide provides practical worked examples that translate directly to a school context.

International Data Transfer Agreements (IDTAs)

The IDTA is the UK's replacement for EU Standard Contractual Clauses. Introduced in March 2022 and approved by Parliament, an IDTA is a standalone contract between the UK data exporter (your school) and the data importer (your US vendor). It incorporates the ICO's standard transfer terms and must be executed before data flows begin.

UK Addendum to EU SCCs

If a vendor already has EU Standard Contractual Clauses in place for EU data transfers, a shorter UK Addendum can extend those clauses to cover UK-to-vendor transfers. This is the route most large US SaaS providers have taken, as it avoids maintaining two separate contract documents. Check your vendor's Data Processing Agreement: the phrase "UK Addendum" or "International Data Transfer Addendum" should appear alongside the EU SCC reference.

Common school tools and their transfer mechanisms

Most schools are using four or five of the tools below. The transfer mechanism column reflects the standard contractual position as of early 2026; always verify against the vendor's current DPA.

Configuring EU or UK data residency does not eliminate the transfer obligation. Even with EU data boundary settings enabled, vendor support staff in the US may access your data for troubleshooting purposes. The IDTA or UK Addendum must still be in place.

For a broader audit of your sub-processors, including those handling student data at scale, the methodology in our GDPR audit checklist for schools covers sub-processor review as points 16 to 18.

Transfer Risk Assessments: when and how

The ICO requires a Transfer Risk Assessment (TRA) whenever you rely on an IDTA or UK Addendum. The TRA is not a bureaucratic formality — it is a substantive analysis of whether the destination country's laws undermine the protections in your transfer agreement.

When a TRA is required

• Every new vendor relationship involving a transfer to a non-adequate country
• When a vendor changes its data processing locations
• When the destination country's laws change materially (e.g., new surveillance legislation)

How to structure a TRA for a school

A proportionate TRA for a standard SaaS tool covers four areas:

1. Data sensitivity — is this contact form data (low sensitivity) or student health records (high sensitivity)?
2. Destination country legal framework — does the country have laws that could compel the vendor to disclose data to government authorities? The US CLOUD Act and FISA Section 702 are the most frequently cited concerns.
3. Contractual and technical safeguards — does the IDTA or UK Addendum provide effective redress? Is data encrypted in transit and at rest? Does the vendor use pseudonymisation?
4. Residual risk — after applying all safeguards, is the residual risk to data subjects acceptable?

The ICO's international transfers guidance provides a TRA template. For schools, a two-page TRA per major vendor is proportionate and defensible. Large providers such as Google and Microsoft publish their own detailed transfer impact assessments, which you can reference in your TRA rather than duplicating the analysis.

Documenting the TRA

Record the TRA date, the assessor, the conclusion, and any compensating measures. Store it alongside your signed IDTA or UK Addendum in your data protection register. The ICO will ask for these documents if it receives a complaint about an international transfer.

Practical considerations for international student data

International students present a particular compliance profile. Their data is often collected through multilingual chatbots and partner referral networks, processed by marketing automation tools, and shared with visa application services — each step a potential cross-border transfer.

Consent language matters. If a prospective student completes a form in Mandarin or Arabic, the privacy notice must be understandable to them. An English-only privacy notice does not satisfy the UK GDPR transparency obligation for non-English-speaking data subjects.

Partner universities and agents. Many UK independent schools source international applicants through overseas educational agents. Each agent who handles prospect data on the school's behalf is a processor. A Data Processing Agreement is required, and if the agent is based outside the UK — which most are — an IDTA or UK Addendum is also needed.

For more on international student recruitment and the data flows it generates, see our guide to recruiting international students.

90-day compliance roadmap for schools

The following roadmap is designed for a school with an active DPO but no existing international transfer documentation. It assumes a standard set of tools (Google Workspace or Microsoft 365, a CRM, and at least one marketing automation tool).

Days 1–30: Inventory and gap analysis

• List every system processing personal data: ask each department head to submit their tools within two weeks.
• For each system, identify: vendor name, vendor HQ country, server locations, existence of a signed DPA, and existence of an IDTA or UK Addendum.
• Flag every transfer to a non-adequate country with no documentation as a critical gap.

Days 31–60: Remediation — contracts first

• Contact each flagged vendor and request their current IDTA or UK Addendum documentation. Most large US vendors have a self-service DPA acceptance process.
• For vendors without standard transfer documentation, negotiate an IDTA directly. Engage your school's solicitors if needed.
• Conduct a TRA for each transfer — start with the highest-volume processors (CRM, email platform, chatbot).

Days 61–90: Documentation, training, and monitoring

• Update your Record of Processing Activities (Article 30) to include the transfer mechanism for each international sub-processor.
• Brief the admissions and marketing teams: any new tool they adopt must go through the DPO before data flows begin.
• Schedule an annual review of your vendor list and TRAs to catch changes in server locations or applicable law.
• Update the school's privacy notice to list the categories of countries to which data is transferred and the safeguards in place.

For cookie consent compliance — a related obligation that often surfaces during a data inventory — see our cookie consent and GDPR guide for schools.

FAQ

Is Google Workspace compliant for student data at UK schools?

Google Workspace for Education is compliant when correctly configured and when the appropriate transfer documentation is in place. Google offers a UK Addendum to its EU Standard Contractual Clauses covering transfers from the UK to Google's US infrastructure. Schools should verify they have accepted Google's DPA through the Google Admin console and that the UK Addendum is included. Configuring the EU data boundary reduces — but does not eliminate — the volume of data processed outside the UK.

What is an adequacy decision?

An adequacy decision is a formal determination by the UK Secretary of State (or, for EU purposes, the European Commission) that a third country provides a level of data protection essentially equivalent to UK GDPR. Data flows to adequate countries — such as EU/EEA member states, Switzerland, and New Zealand — require no additional safeguard. The United States is not on the UK's adequacy list; transfers to US-based vendors require an IDTA, a UK Addendum to EU SCCs, or another Chapter V mechanism.

Does Brexit affect how UK schools transfer data to the EU?

Yes, but less dramatically than transfers in the other direction. The EU has granted the UK an adequacy decision, meaning EU institutions — including partner universities and European agents — can send personal data to UK schools without additional safeguards. However, UK schools sending data to EU processors (for example, a European CRM or email marketing tool) benefit from the same EU adequacy decision in reverse: the EU/EEA countries are on the UK's adequacy list. The main complexity arises when data flows from the UK to non-EU, non-adequate countries such as the United States.

What are the penalties for non-compliant international data transfers?

Under UK GDPR, the ICO can issue fines of up to £17.5 million or 4% of annual global turnover, whichever is higher, for the most serious infringements. International transfer failures fall into the upper tier. Beyond financial penalties, the ICO can issue enforcement notices requiring a school to suspend data flows to a specific vendor — operationally disruptive if that vendor is a core CRM or email platform. The reputational impact on prospective student trust is a further, less quantifiable cost.

An international school's data transfer obligations are not a one-off exercise — they are a continuous process tied to every new tool the admissions and marketing teams adopt. The 90-day roadmap above establishes the baseline; the annual review cycle keeps it current.

For the full framework on protecting student and prospect data under UK GDPR, return to our GDPR guide for student data.