GDPR-compliant digital signage for UK schools
Schools ask us this question more than any other: 'Is putting X on a screen a GDPR problem?' This isn't legal advice, but it's a plain-English checklist that will get most UK schools 90% of the way there — and it's what our own school customers use.
- UK GDPR essentials
- Data-hosting
- Photo consent
- DPIA checklist
The one-sentence version
UK GDPR treats a digital screen the same as a printed noticeboard: if the content identifies a person, you need a lawful basis for showing it, and you need to be able to switch it off quickly if consent is withdrawn.
What's fine to show without consent
- Announcements and news that don't name individuals.
- Class-level timetables ('Year 7 — Maths — Room 4').
- Whole-school events and calendars.
- Safeguarding messages, fire-drill info, weather, catering menus.
What needs consent or a DPIA
- Individual pupil photos with names.
- Named merit / award boards for pupils under 13.
- Live attendance or biometric check-in feeds.
- Wayfinding tied to a named pupil ('Alex Smith → Room 2').
Data-hosting and transfers
Choose a provider that hosts pupil-derived data in the UK or EEA. Viewli's dashboard, media and player state all run on UK-hosted infrastructure, and the sub-processor list is short and public. That's what most trusts want to see in a supplier questionnaire.
Practical controls to insist on
- Role-based access: teachers can add content, only the designated 'signage owner' can approve pupil-identifying content.
- Approval workflow before content goes live.
- Audit log of every publish action, retained 12+ months.
- One-click 'blank all screens' for incidents.
- Auto-expiry on content items so photos don't linger.
The 5-minute DPIA checklist
- What personal data will appear on screens?
- What's the lawful basis for each item?
- Who can add / approve / view?
- Where is the data hosted, and who processes it?
- How is consent captured and withdrawn?
- How long is the content retained?
- What's the take-down process if a parent objects?
Where Viewli fits
Viewli ships with roles, approvals, audit logs, per-item expiry and a blank-all-screens control out of the box — designed for exactly this compliance shape. Explore the internal-comms features or start a 30-day trial.
Frequently asked questions
Do we need parental consent to show pupil photos on signage?
Yes for identifiable images. Under UK GDPR, a photo of a named or recognisable pupil is personal data. Schools should rely on parental consent (or, for pupils 13+, the pupil's own consent) and keep a withdrawn-consent list.
Is a timetable on a hallway screen personal data?
Class-level timetables (e.g. '7B — Maths — Room 4') generally aren't personal data. A named individual pupil rota (e.g. '10:00 — Alex Smith — Detention') is. Keep the two apart.
Where should signage data be hosted?
There's no legal requirement to host in the UK, but UK-hosted or EEA-hosted signage removes the need for a Data Transfer Impact Assessment and simplifies your ROPA. Viewli is UK-hosted.
Do we need a DPIA for a signage rollout?
For low-risk internal comms (announcements, class timetables), usually no. For anything with pupil photos, biometric check-in, or wayfinding tied to identifiable pupils, yes — document the DPIA before go-live.