Is Notion GDPR Compliant? Depends on who you ask but first, what is GDPR?

Wikipedia tells us that GDPR is

“The General Data Protection Regulation (EU) (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA).”

But what is it really and how does it impact us as teachers?

As most of us have found out in Data Privacy Training on INSET, GDPR means that we as teachers have a duty to protect the information we hold about our colleagues and students:

  • We shouldn’t hold any more than we need to do our job.
  • We should protect the identity of our students, not sharing their data any more than is necessary.
  • and a whole host of other obligations for which you should refer to your Data Privacy Officer.

In short though, in the use of Notion, we need to be sure that if we are storing student data in Notion, we need to be absolutely sure that they are able to look after it properly because if they can’t and we have put the data there, it will come back on us.

So firstly, as a classroom teacher, it’s not really on us to work out if Notion is GDPR compliant. Before uploading any student data, I went straight to my Data Privacy Officer and asked them to look into it. They came back with a few questions which I will share with you later., including my answers and the useful links I shared with them to get their approval for me to store student data on the site.

So really, this is all about getting onto your School Data Privacy Officer and getting them comfortable with Notion and it’s data privacy policies. At the end of the day, Data Privacy isn’t black and white. It’s a risk to be mitigated so it’s a case of proving that Notion have done everything they can from their perspective to manage the risk and then for the school to put in place the necessary safeguards so that we aren’t exposed.

How did I do that then?

Step 1: I asked Notion if they are GDPR compliant. Sounds obvious but I thought I’d better check. As expected they confirmed that they are.

Step 2: I met with my DPO and talked him through Notion, what is it and why it’s so incredibly useful. He asked if Microsoft can do everything Notion does and I explained that it absolutely can’t, which he believed when I showed him the functionality of relational databases amongst everything else.

Step 3: He asked me to send him Notion’s Data Privacy policies, which I link to here for you: https://www.notion.so/help/gdpr-at-notion

Step 4: He was most interested in exactly which data I planned to store on the platform. Having used Notion for a while, I had a fairly good idea that I wanted to store the following data on the platform:

  • Student First Name e.g. “Patrick”
  • Student Class e.g “3A”
  • Student Prep & Internal Test Scores e.g. “4/5”
  • Student Merits & Lesson Alerts
  • Student Late
  • Student Forgot equipment for lesson

Step 5: He confirmed that I am good to use Notion as long as:

a. It is only student first names.

b. If/when I leave the school or students leave the school, the data must be destroyed.

c. If my role changes at all and requires increased data storage on the platform, then we would need to review the arrangement.

d. Crucially, I needed to confirm that the agreement I signed with Notion incorporates the UK Standard Contractual Terms as per their link here Data Processing Addendum (notion.site).

e. To share with him a copy of these Terms. To do this I emailed Notion to ask for this. At time of writing they are looking into it:

So am I using Notion yet to store student data? Not quite, but I’m confident that I will be very soon and you can too by following the steps above.

If you’ve found this useful then you’ll love my YouTube Channel: Notion for Teachers, where I post weekly on how I’m using Notion to improve student outcomes and keep my workload manageable.

Thanks for reading!

Leave a comment

Your email address will not be published.