Photo of students and orange circle with text GDPR

Priorities for Managing Ongoing GDPR Compliance in Student Recruitment

The European Union’s General Data Protection Regulation (GDPR) has set the world’s standard for personal data security. In the context of student recruitment, universities are now responsible for gaining more specific and proactive consent to communicate with students and store their personal data.

The 25th May deadline for GDPR to be put into effect has already come and gone but achieving GDPR compliance isn’t a one and done activity. Universities must have the right processes, technology and experts in place to manage GDPR compliance continuously as they build new, and further existing, relationships with prospective students.

What does this entail specifically?

The process and tools to capture consent in a structured way to maximise opt-ins

Don’t miss any opportunity to capture consent from your prospective students. Audit every point where you’re collecting inbound interest from prospective students – for example on your website or at overseas fairs. Ensure you have GDPR-compliant forms in every place where you’re collecting enquiries from prospective students.

As a reminder, GDPR-compliant forms contain explicit explanations to what your audience is opting into and capture positive opt-in behavior, in other words no pre-checked boxes. And, you’ll need to give the student the chance to view your privacy policy at this point.

Of course, forms are not the only way to capture consent. But, early trends across the UniQuest university partner group show that prospective students opt in to communications at higher rates when consent is requested via a form rather than via free response channels like live chat or email. Therefore, we recommend that on your website you point prospective students to submit enquiries via forms rather than directing them to email your team.

The technology to maintain up-to-date records of communication preferences


Consent is not a static fixture on a prospective student record. Communication preferences change. You’ll need to maintain an up-to-date record of consent for every prospective student and make sure that those preferences are synced in real-time with the systems you’re using to communicate with students whether that be through email marketing, social messaging applications or phone calls.

The protocols to define and the people to manage ‘legitimate interest’

Consent is not a required path to compliance where an organisation has ‘legitimate interests’ to process personal data. ‘Legitimate interest’ would apply when the person whose data you’re processing would reasonably expect for you to do so. In student recruitment, ‘legitimate interest’ most often comes into play when students apply to your university. In this instance, it is completely reasonable that you process the student’s data and would need to communicate next steps regarding an offer to study.

Creating a communication plan around ‘legitimate interest’ can be complex. Universities need to have the protocols to define the scenarios where ‘legitimate interest’ is appropriate and the people in place to ensure students are engaged in the right way thereafter.



As part of UniQuest’s student conversion service, we manage everything to do with achieving and managing ongoing GDPR compliance among the students we’re engaging from enquiry to enrolment. We began preparing for GDPR when the regulation was passed in 2016 and have worked very closely with all of our university partners to achieve and maintain compliance. Get in touch with us to discuss what we’ve learned and trends we’ve seen as it relates to student recruitment.