General Data Protection Regulation (GDPR)
On the 25th May 2018, all UK organisations which share personal data, will have to comply with EU the General Data Protection Regulations (GDPR). This crucial piece of legislation will affect the provision of services to the education sector in a significant way for both schools that collect and manage special category data relating to children and the businesses that process it. It will introduce new responsibilities, including the need to demonstrate compliance, as well as enforcement that is more stringent. There will also be substantially increased penalties than the current Data Protection Act (DPA), which it will supersede.
More information on GDPR is available from the Information Commissioner’s Office by clicking here.
Contact Group, along with the other businesses in the IRIS group have been working to ensure that the way we handle and process your data is compliant in advance of the deadline.
Contact Group – Responsibilities
GDPR requires Contact Group to adhere to a number of key principles with regards to your data and you can be assured that we take these responsibilities extremely seriously.
As part of our commitment to GDPR we make the following promises to our customers and partners;
- We will only manage data where we have an agreement with the data controller
- We will only retain data for as long as we have a processing agreement with the controller or need to do so with the data subject
- Ensure data is handled in accordance to the GDPR legislation.
- We train our staff in the proper handling of personal data and maintaining confidentiality at all times
- We will review and update our internal processes and safeguards around data handlingWe will work where necessary to support the Data Controller in supporting the rights of the data subject
To support our GDPR responsibilities and promises we have or are carrying out the following actions:
- We have staff who have recognised accreditations EU General Data Protection Regulation Foundation (GDPR F) and EU General Data Protection Regulation Practitioner (GDPR P).
- Updated our agreements with schools to include the required GDPR clauses and generally updated to reflect the way our services are delivered
- Updated our software where required to support the new legislation
- Audited the data we hold, and risk assessed where and how it is held
- Formalised our GDPR Statement, based on IRIS Group policies
- Trained all our staff on their legal responsibilities and duties – this is ongoing
- Updated our third-party suppliers, where required, to ensure that personal data is held within the EEA
- Reviewed and updated our data retention policy
- Provided tools to assist the Data Controller in fulfilling their obligations to the Data subjects
- Updating privacy notices
Educational Establishment / Local Education Authorities – Responsibilities
GDPR is a partnership between the educational establishment / local education authority (Data Controller) and Contact Group (The Data Processor) and as such imposes principles and requirements on both parties. In engaging with Contact Group the Data Controller ’Schools/Clubs etc. Users of the Contact Group services, must;
- Ensure that data imported or created using Contact Group services are covered by demonstrable/documented evidence of consent from the data subject (Parent/Staff member etc.) for their data to be shared with a processor
- Act swiftly to remove any parent data from all processing platforms where consent has been withdrawn
- Update educational establishment management information systems (MIS) promptly and remove pupil and parent details from processing systems as soon as data subjects leave.
- Manage all requests from the data subject directly
Software updates and considerations to ensure GDPR compliance
In order to ensure GDPR compliance, below is a summary of the updates that have been made or are in progress to the Contact Group software and processes;
- Added automatic deletion of personal data where no active connection to a school or club exists
- Including compliance of data sharing agreements into our data extraction process
- Making our data extraction process more transparent for data protection representatives in education establishments.
Contact Group is part of the Iris Software group: the IRIS security policy document – Click here to download.
Contact Group Data protection statement – Click here to download.
Contact Group GDPR and Data Protection overview – Click here to download.
Contact Group GDPR FAQ – Click here to download.
The following are for the Contact Group website – please if you are looking for specific product related terms and privacy notices go to the appropriate web services.
Contact Group Terms and Conditions – Click here to view.
Contact Group Data general privacy notice – Click here to view.