Data Protection and AI in Schools: GDPR, FERPA, and the Gulf — A Cross-Jurisdictional Guide

If there is one topic that makes school leaders' eyes glaze over, it is data protection regulation. I understand why. The language is dense, the acronyms multiply, and the practical implications feel distant from the daily reality of running a school. But here is the thing: when you introduce AI into your school, data protection stops being a compliance formality and becomes a live operational concern. Because AI systems are, at their core, data processing systems. And the data they process is your students' data.

I work across the Middle East, the UK, and internationally. The schools I support operate under at least three different data protection regimes, sometimes simultaneously. Getting this wrong has real consequences; regulatory penalties, reputational damage, and the erosion of trust from the parents who entrust you with their children's information.

This guide maps the major data protection frameworks that affect schools using AI, explains where they converge and diverge, and offers practical steps for schools operating across jurisdictions.

The Three Regimes

UK GDPR (and the Data Protection Act 2018): This is the framework most British curriculum schools default to, whether they are in the UK or not. It provides comprehensive protection for personal data, requires lawful bases for processing, mandates data protection impact assessments for high-risk processing, and gives data subjects (including students and parents) extensive rights over their data. Under UK GDPR, any AI tool that processes student personal data must have a lawful basis, must be transparent about what it does with that data, and must allow data subjects to exercise their rights.

FERPA (the Family Educational Rights and Privacy Act): This is the US framework that applies to schools receiving federal funding and, by extension, informs the data protection practices of many American curriculum international schools. FERPA focuses on educational records rather than personal data broadly. It gives parents rights to access and amend their children's educational records and restricts disclosure of personally identifiable information without consent. FERPA is narrower than GDPR in scope but has specific provisions around educational technology vendors and the "school official" exception that many schools rely on when adopting AI tools.

UAE PDPL (the Personal Data Protection Law): Enacted in 2022 and coming into full enforcement, the UAE's data protection law applies to any organisation processing personal data within the UAE. It shares conceptual DNA with GDPR (lawful bases, data subject rights, data protection officers), but has important differences, particularly around data localisation requirements, cross-border transfer mechanisms, and the role of the UAE Data Office.

Where They Converge

All three frameworks share core principles that every school using AI should embed.

Consent or legitimate interest must underpin data processing. You cannot feed student data into an AI system without a lawful reason. The specifics of what constitutes valid consent differ between frameworks, but the principle is universal: you need a legal basis for processing student data through AI tools.

Transparency is non-negotiable. Students and parents must know when AI is being used, what data it processes, and broadly how it works. This does not mean publishing your AI vendor's source code. It means being honest and clear in your privacy notices, your parent communications, and your student-facing policies about the role AI plays in your school.

Data minimisation applies everywhere. Only process the data you need. If an AI tool asks for access to a student's entire profile when it only needs their assessment scores, that is a data minimisation failure. Schools should review the data access permissions of every AI tool they use and restrict them to the minimum necessary.

Where They Diverge, And Why It Matters

Scope of protection. GDPR protects all personal data. FERPA protects educational records. The UAE PDPL protects personal data processed within the UAE. This means the same AI tool might be subject to different rules depending on which regime applies. An AI assessment tool processing data for a British school in the UK falls under UK GDPR. The same tool used by an American school in the UAE might need to satisfy both FERPA (because of the curriculum) and the UAE PDPL (because of the jurisdiction).

Consent models. GDPR requires freely given, specific, informed consent; and for children's data, additional protections apply. FERPA uses a different consent model based on the concept of "legitimate educational interest" and the "school official" exception, which allows schools to share student data with technology vendors without individual parent consent under certain conditions. The UAE PDPL has its own consent requirements that are still being clarified through implementing regulations. Schools operating across jurisdictions need to understand which consent model applies and build their processes accordingly.

Cross-border data transfers. This is where the complexity escalates. GDPR restricts transfers of personal data outside the UK/EEA to countries that provide "adequate" data protection, unless specific safeguards are in place (standard contractual clauses, for example). The UAE PDPL has its own cross-border transfer provisions. FERPA does not have explicit cross-border transfer restrictions, but the requirement to protect student data follows it wherever it goes.

For an international school using AI tools hosted on US servers, this creates a compliance puzzle. You may need standard contractual clauses for GDPR, compliance with UAE data localisation requirements, and assurance that FERPA protections are maintained; all for the same data flowing through the same tool. Most schools are not doing this analysis. They should be.

Data subject rights. Under GDPR, students and parents have the right to access, rectify, erase, and port their data, and the right to object to automated decision-making. Under FERPA, the rights are narrower: access, amendment, and consent to disclosure. Under the UAE PDPL, rights are broadly similar to GDPR but with differences in how they are exercised.

The automated decision-making provisions are particularly relevant for AI. If your school uses an AI system that makes or contributes to decisions about students (placement decisions, risk assessments, intervention recommendations), GDPR gives students and parents the right to challenge those decisions and require human review. This is a powerful protection that many schools are not aware of and even fewer have built processes to accommodate.

Practical Steps for Schools

I know this feels overwhelming. It does not have to be. Here are the concrete steps I recommend to every school I work with.

Map your data flows. Before you can comply with any data protection regime, you need to know where student data goes. For every AI tool your school uses, document what personal data it receives, where that data is stored, who has access to it, and whether it is transferred across borders. This exercise alone will reveal risks you did not know you had.

Identify your applicable regimes. Be honest about which data protection frameworks apply to your school. If you are a British curriculum school in the UAE with EU passport holders in your student body, you may need to consider UK GDPR, the UAE PDPL, and potentially the EU's GDPR. This is not as unusual as it sounds; it is the reality for most international schools.

Conduct data protection impact assessments for high-risk AI. Any AI tool that processes student data at scale, makes decisions about students, or involves sensitive categories of data should be subject to a formal impact assessment. Both UK GDPR and the UAE PDPL require this for high-risk processing. Even if FERPA does not explicitly mandate it, it is good practice.

Review your vendor contracts. Does your AI vendor's contract include data processing terms that satisfy your applicable data protection regimes? Does it specify where data is stored, how long it is retained, what happens when the contract ends, and what rights you have to audit their processing? Most schools sign vendor contracts without scrutinising these terms. In an AI context, they are critical.

Update your privacy notices. Your school's privacy notice should explicitly mention AI processing. Parents should know that AI tools are used, what they do, what data they access, and what rights parents and students have in relation to that processing. Vague language like "we may use technology to support learning" is not sufficient.

Build a review cycle. Data protection compliance is not a one-off exercise. AI tools change. Regulations evolve. Your school's AI usage expands. Review your data protection posture in relation to AI at least annually, and more frequently if you are adopting new tools or operating in jurisdictions with evolving regulatory frameworks.

The AI Literacy Audit Tool assesses your school's data protection readiness as one of its nine dimensions, cross-referencing your practices against the full landscape of international frameworks. But whether you use the tool or take a manual approach, the important thing is to start. Data protection in the AI era is not something you can defer; it is something you need to manage now, with the rigour and attention it deserves.