Office365 and Children
Under GDPR there are special provisions for the protection of children's data and consent has to be obtained from parents. Given that most secondary and college schools have been using Office365 for the last couple of years.
This would make the material breach of GDPR even more severe. Given that this information is now known, education organisations need to address this breach of information by
a) requesting from Microsoft under GDPR what information was collected for each student and informing the parents
b) Upon request of the parents making an request for the deletion of all personal data held by Microsoft or third parties which may have been sold the data (that would be a separate breach)
c) and look for an alternative supplier which is not in breach of GDPR
Then a class action for damages can be launched for the loss of privacy