Data Protection
If you are planning on processing personal data, you may need to undertake a DPIA
A screening process helps you decide if you need the full DPIA. If not, a DPA is recommended. It feels like a burden but encourages you to think about the risks involved and address the niggling bits and pieces you might otherwise put to the back of your mind - like back-up, deletion, retention. All of which will usually highlight the importance of appointing a service owner and defining a checklist for them.
You also need to be aware that your software provider takes on a formal role of data processor under the GDPR/DPA18 (UK GDPR). So you will need a data processor agreement. This is usually incorporated into the University's SAAS Terms and Conditions.
Make sure you are aware of where your data will be processed and stored. At the time of writing, within the EU/EAA is acceptable, but standard contractual clauses must be used for most of the rest of the world including the US (please be aware that the Privacy Shield we used to rely on for the US is no longer valid). You should find the clauses incorporated into the University agreements.
Don’t forget the schedule with data protection particulars, usually lurking at the bottom of the agreement.