skolbot.AI Chatbot for Schools
ProductPricing
Free demo
Free demo
Operational guide to protecting prospect student data under GDPR
  1. Home
  2. /Blog
  3. /Compliance
  4. /Protecting prospect student data: an operational GDPR guide for admissions teams
Back to blog
Compliance10 min read

Protecting prospect student data: an operational GDPR guide for admissions teams

How to collect, store and use prospect data in GDPR compliance. Operational checklist for admissions and marketing teams in higher education.

S

Skolbot Team · March 12, 2026

Summarize this article with

ChatGPTChatGPTClaudeClaudePerplexityPerplexityGeminiGeminiGrokGrok

Table of contents

  1. 01Your prospects have rights before they even apply
  2. 02Lawful bases for processing prospect data
  3. Consent (Article 6(1)(a))
  4. Legitimate interests (Article 6(1)(f))
  5. Performance of pre-contractual measures (Article 6(1)(b))
  6. 03What you collect — and what you should not
  7. The principle of data minimisation
  8. Data collected by chatbots
  9. 04Retention periods: the grey zone
  10. Recommended retention periods by data type
  11. The "keep everything" trap
  12. 05Prospect rights: what your team must be able to answer
  13. 06The case of minors
  14. 07Operational checklist for admissions teams
  15. Data collection
  16. Storage and access
  17. Retention and purging
  18. Exercising rights
  19. 08The five most common GDPR mistakes in admissions
  20. 09The trust dividend: beyond compliance

Your prospects have rights before they even apply

GDPR compliance does not start at enrolment. It starts at first contact. The moment a prospect shares their email address, name or phone number — via a form, a chatbot, an education fair or an open day — the institution becomes a data controller under UK GDPR and the Data Protection Act 2018 (Source: ICO guidance on controllers and processors, updated 2025).

This matters because admissions and marketing teams process prospect data long before any formal application. And prospect data is often the least protected data in the entire information system: Excel files shared by email, contact lists exported from fairs without documented consent, chatbot conversations stored without a retention policy.

62% of institutions surveyed have no documented procedure for processing prospect data (Source: Skolbot survey of 62 marketing directors across European institutions, December 2025). This operational guide addresses that gap.

For a broader overview of GDPR compliance in higher education, see our complete GDPR guide for student data.

Lawful bases for processing prospect data

UK GDPR requires a lawful basis for every processing activity involving personal data. In the context of student recruitment, three lawful bases are relevant.

Consent (Article 6(1)(a))

Consent is the most commonly used basis — and the most poorly implemented. To be valid, it must be freely given (no mandatory marketing consent to receive a prospectus), specific (one consent per purpose, not a blanket "I agree to everything"), informed (information visible at the point of collection, not buried in a link) and unambiguous (a clear affirmative action, not a pre-ticked box).

Common mistake: collecting emails at a UCAS fair via a tablet with a simple "Leave your email for more info" does not constitute valid GDPR consent.

Legitimate interests (Article 6(1)(f))

Legitimate interests allow processing without explicit consent — abandoned form follow-ups, supplementary information about a programme of interest. It does not justify unsolicited communications, sharing data with partners, or behavioural scoring. Each use must be documented in a legitimate interests assessment (LIA).

The ICO has published detailed guidance on legitimate interests that is essential reading for any admissions team relying on this basis.

Performance of pre-contractual measures (Article 6(1)(b))

When a prospect submits a formal application, processing their file is necessary for the performance of pre-contractual measures. A solid lawful basis, but limited to the formal application phase.

What you collect — and what you should not

The principle of data minimisation

UK GDPR requires that only data strictly necessary for the stated purpose is collected. In practice, every form field must be justifiable.

Data necessary for an information request: first name, surname, email, programme of interest. Four fields suffice.

Questionable data: date of birth (why do you need this before an application?), postal address (are you really sending printed prospectuses?), phone number (will you actually call?).

Problematic data: nationality (unless relevant for international admissions requirements), family situation, parental income. These are sometimes collected "just in case" but represent a GDPR risk without documented justification.

Each additional form field reduces the completion rate by 5-8% (Source: Skolbot analysis of 45 institution contact forms, 2025). Data minimisation is not just a legal obligation — it is a conversion lever. Our article on school website conversion benchmarks confirms this correlation.

Data collected by chatbots

A chatbot collects more data than a form. Prospects spontaneously share sensitive information (disabilities, financial difficulties, health conditions). Three measures are essential: prior notice that the conversation is recorded, automatic purging of sensitive data, and restricted access to conversation histories.

Retention periods: the grey zone

Retention is the weakest point for most institutions. The ICO recommends that prospect data should not be retained longer than necessary — in practice, no more than 3 years after the last active contact (Source: ICO retention guidance). But this recommendation is a ceiling, not a target.

Recommended retention periods by data type

First-contact data (form, chat): 12 months after the last contact if the prospect has not applied. Beyond that, the study project is most likely abandoned.

Incomplete application data: 24 months after the last contact. The prospect may apply in the following cycle.

Rejected application data: 6 months after notification of rejection. Retaining data longer has no operational justification.

Chatbot conversations: 12 months, with automatic anonymisation of sensitive data at 30 days.

Event data (open days, fairs): 12 months after the event if the prospect has not taken further action.

The "keep everything" trap

47% of institutions retain prospect data indefinitely (Source: Skolbot survey, December 2025). This creates a double risk: regulatory (ICO fines of up to GBP 17.5 million or 4% of annual turnover under UK GDPR) and operational (degraded email deliverability, skewed metrics, increased attack surface).

Prospect rights: what your team must be able to answer

UK GDPR confers eight rights on data subjects. In practice, four are regularly exercised by student prospects.

Right of access (Art. 15): the prospect can request what data you hold. Response required within 30 days (extendable to 90 in complex cases), which means knowing where data is stored (CRM, chatbot, files, emails).

Right to rectification (Art. 16): correction of inaccurate data, propagated across all systems.

Right to erasure (Art. 17): deletion of all data. Absolute when processing is based on consent. Deletion must be effective across all systems: CRM, email platform, chatbot, shared files. For a detailed walkthrough of implementing this in practice, see our guide on handling erasure requests for prospective students.

Right to object (Art. 21): objection to direct marketing is absolute and requires no justification. A prospect who says "stop emailing me" must be unsubscribed immediately.

The case of minors

In England and Wales, a child aged 13 or over can give their own consent for online services (Source: UK GDPR, Age of Digital Consent). In Scotland, the age is 12 under the Age of Legal Capacity (Scotland) Act 1991. For pre-university outreach programmes and social media campaigns targeting under-13s, parental consent is required. Include an age verification step in your forms and have a parental consent pathway ready.

Operational checklist for admissions teams

Data collection

  • Every form displays the required information (identity of controller, purpose, retention period, rights)
  • Consent checkboxes are not pre-ticked
  • Consents are granular (one per purpose)
  • The chatbot identifies itself as AI and informs users that conversations are recorded
  • Fair and open day forms include data protection notices
  • Only necessary data is collected (minimisation principle)

Storage and access

  • Prospect data is stored in a CRM with role-based access control
  • No Excel files containing personal data are shared by email
  • Data access is logged
  • Sensitive data (disability, family situation) is isolated with restricted access
  • CRM passwords meet ICO recommendations (12+ characters, MFA enabled)

Retention and purging

  • A retention policy is documented and enforced
  • Automatic purging is configured in the CRM
  • Prospects with no interaction for 12 months are purged or enter a reactivation sequence before deletion
  • Rejected application data is deleted at 6 months

Exercising rights

  • A process for handling access, rectification and erasure requests is documented
  • The admissions team knows who to contact internally to process a request
  • The 30-day response deadline is tracked and met
  • Marketing unsubscribes are processed immediately

The five most common GDPR mistakes in admissions

Mistake 1: the fair spreadsheet. Collecting 200 emails at a UCAS fair, emailing the file to yourself, then importing into the CRM without documented consent. Triple infringement.

Mistake 2: opt-in by default. Pre-ticked "I agree to receive communications" checkbox. Invalid consent.

Mistake 3: infinite retention. Prospect data from 2019 still in the CRM. Infringement plus metrics skewed by dead contacts.

Mistake 4: late response. An erasure request circulating between three departments for three weeks. 30-day deadline breached.

Mistake 5: the chatbot without notice. The chatbot collects name, email, programme of interest without informing the user about processing. Breach of the transparency principle.

The trust dividend: beyond compliance

73% of 18-24 year olds say that data protection influences their choice of institution (Source: Harris Interactive survey for CNIL, 2025 — cross-referenced with UK-specific findings from the Student Digital Experience Insights survey by Jisc). GDPR compliance is not just a legal obligation — it is a professionalism signal that directly influences recruitment.

FAQ

Is consent obtained at a fair valid?

Only if it is documented, specific and informed. A badge scan or a signature on a tablet without information about the purposes of processing does not constitute valid GDPR consent. Prepare a paper or digital form with the required notices, and retain proof of consent.

Can you send a follow-up email without marketing consent?

Yes, in certain cases, on the basis of legitimate interests. If a prospect started an application without completing it, a follow-up email related to that specific process is justifiable. However, a newsletter or promotion of a different programme requires explicit consent.

What should you do in the event of a prospect data breach?

Notify the ICO within 72 hours if the breach presents a risk to individuals. Inform affected prospects if the risk is high. Document the incident (nature, data concerned, measures taken). The procedure must be known to all staff with access to personal data.

Is a subprocessor (CRM, chatbot provider) liable in case of a breach?

The institution remains the data controller. A data processing agreement (Article 28 of UK GDPR) must be signed with each provider, specifying security measures and incident notification procedures.

How do you train teams without a dedicated DPO?

Schedule a two-hour awareness session per year, focused on practical scenarios (fair collection, forms, follow-ups). Designate a data protection lead as the point of contact. The ICO provides free guidance, toolkits and e-learning modules specifically designed for smaller organisations.

Does our school website also need to be accessible to disabled users?

Yes, and since June 2025 it is a legal requirement under the European Accessibility Act for most private higher education providers. Our guide on digital accessibility for school websites covers WCAG obligations, sanctions, and a 10-point priority checklist.

How do we handle cookie consent and web forms under UK GDPR?

Cookie banners, analytics consent, advertising pixels, and compliant open day registration forms have their own set of rules. Our cookie consent and forms GDPR guide for schools covers each scenario in detail.

How can we formalise our institution's GDPR compliance end to end?

Use our GDPR audit checklist for schools: it covers governance, consent, security, subprocessors and AI Act obligations. It is the structured framework to turn this operational checklist into a complete, audited compliance programme.

Related articles

GDPR guide for student data protection in higher education institutions
Compliance

GDPR and student data: complete guide for schools

Illustration of AI chatbot GDPR data collection compliance for UK higher education schools and universities
Compliance

AI Chatbot & GDPR: What Data Can UK Schools Collect?

Right to erasure GDPR prospect school: ICO-compliant deletion process illustrated for UK admissions teams
Compliance

Right to Erasure GDPR: What UK Schools Must Do When a Prospect Requests Deletion

Back to blog

GDPR · EU AI Act · EU hosting

skolbot.

SolutionPricingBlogCase StudiesCompareAI CheckFAQTeamLegal noticePrivacy policy

© 2026 Skolbot