Please note that this document is for general information only and should not be treated as legal advice to your organisation, as an explanation of the law or the extent of obligations on data controllers or processors under the EU General Data Protection Regulation (“the GDPR”).
Data protection by design
On 25 May 2018 the EU General Data Protection Regulation (GDPR) replaced the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to standardise data protection laws across Europe. Regardless of where that data is processed, it is important to understand that this may also affect your school even if it is not located in a EU member state.
You can be assured that Double First is committed to GDPR compliance. We are also committed to helping our customers comply with the GDPR by providing rigorous privacy and security protections that are built into our service.
Data Controllers and Data Processors
Schools will typically act as the Data Controller for any personal data they provide to Double First regarding their use of our services. The Data Controller determines the purposes and means of processing personal data, whilst the Data Processor processes data on behalf of the Data Controller.
Double First is a Data Processor in respect of the schools and processes personal data on behalf of the schools (a Data Controller) when they use the either the hosting solution, training or support facilities at Double First.
Data Controllers and Data Processors are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR legislation.
Data Controllers are responsible for compliance with the data protection principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality as well as fulfilling data subjects’ rights with respect to their data.
If you are a Data Controller, you may find guidance related to your responsibilities under GDPR by regularly checking the website of your national or lead data protection authority. For the UK, such authority is the Information Commissioner’s Office.
You should also seek independent legal advice relating to your status and obligations under the GDPR, as a legal adviser can provide you with guidance specifically tailored to your situation.
Where should you start?
As a current or future customer of Double First, now is a good time for you to begin preparing for the GDPR. Here are some considerations:
- Firstly, familiarise yourself with the provisions of the GDPR, especially the differences from your current data protection obligations;
- Consider creating an updated inventory of personal data that you handle. You can use Double First software to help you identify and classify data;
- Review your current controls, policies and processes to assess whether they meet the requirements of the GDPR. If not, build a plan to address any areas that need amending;
- Consider how Double First software could be used to help facilitate your data protection and ensure you are using the system securely;
- Monitor updated regulatory guidance as it becomes available;
- Consult a lawyer to obtain legal advice specifically applicable to your business circumstances.
Double First commitments to the GDPR
Alongside other duties, Data Controllers are required to only use Data Processors that provide adequate guarantees to implement appropriate technical and organisational measures so that data processing will meet the requirements of the GDPR.
Here are some aspects which we trust will re-assure you when conducting your assessment of Double First:
Our data processing agreements for Double First software articulate our privacy commitments to customers. The terms have been amended over the years to reflect feedback from customers and regulators. We have updated our terms to reflect the new GDPR requirements, and these updated terms are available to our customers via the software and our Support Centre.
In our assessment, Engage has the appropriate functionality features for compliance with the GDPR, including the methods we use for deletion and retention of data. This verifies to our customers they are using software and services that are going to assist them in being compliant.
PROCESSING ACCORDING TO INSTRUCTIONS
Any data that a customer and its users put into our systems will only be processed in accordance with the customer’s written instructions, as described in our GDPR-updated data processing terms.
All permanent and temporary employees are bound by confidentiality and non- disclosure terms within their employment terms and are also subject to our data protection, security and training policies. Fixed term or open-ended contractors that fall outside of normal employment contracts are similarly bound to confidentiality terms within their contract and a separate non-disclosure agreement, as well as the Company’s data protection, security and training policies.
Administrators can delete any personal data, via the functionality of the Double First software at any time during the term of the agreement. Administrators also have the ability to export data into a variety of formats using the integrated report builder. For support, training and implementation Double First will securely store data backups for two weeks or until the need to hold the data lapses.
DATA SUBJECT RIGHTS
The Engage system has the ability for the Administrator to export selected data at any time. There are also a variety of methods by which consent can be tracked. Decisions on how to implement the need for consent fall under the responsibility of the school, however we can provide training on those consent tracking functions of Engage on request.
© Double First May 2018