General Data Protection Regulation
Contact Group – Readiness Statement
On the 25th May 2018, all UK organisations which share personal data, will have to comply with EU the General Data Protection Regulations (GDPR). This crucial piece of legislation will affect the provision of services to the education sector in a significant way for both schools that collect and manage special category data relating to children and the businesses that process it. It will introduce new responsibilities, including the need to demonstrate compliance, as well as enforcement that is more stringent. There will also be substantially increased penalties than the current Data Protection Act (DPA), which it will supersede.
The Contact Group provides parental engagement, data reporting and integration services for education establishments and Local Authorities. Our business heavily relies on integrations with many of the Management Information Systems used in the education sector to collect and control their students’ personal and education-related data. As a trusted processor of school data, we have had a GDPR readiness roadmap in place since the beginning of 2017. GDPR compliance is not an option for us and we are currently readying our business for compliance by the GDPR deadline on the 25th May 2018.
Our staff have been undergoing updated data privacy training to reflect the changing legislation. We have staff who have recognised accreditations EU General Data Protection Regulation Foundation (GDPR F) and EU General Data Protection Regulation Practitioner (GDPR P). We are in the process of appointing a new Data Protection Officer who will be in place early in Q1 2018.
GDPR clearly outlines crucial changes to the data privacy rights of individuals, including the right to be forgotten, the right to move data from one platform to another (portability), the right to restrict data processing and the right not to be subject to automated profiling. Also important for educational establishments are data breach policies, which move to 72-hour reporting cycles. The Contact Group have been refining internal procedures to help with this process, ensuring that all organisations in the data chain work together to provide the best service.
We are enhancing our product development to make sure that data protection by design is an integral part of the process. This includes considering DPIAs for any feature which impacts data privacy. We are also expanding our service to allow education establishments to contribute more to this process.
We are in the process of updating all of our privacy notices and data sharing agreements to reflect the GDPR changes. These include the data we process, our rationale for having it, and if we share it with any other organisation, the information that is shared and for what purpose. This gives education establishments more visibility and control about what is happening to any data that they are authorising us to collect, and any information we collect via our services. We are improving our services to enable schools to see what data we extract, when it was extracted, the consent flow and if we, or any third party used it.
Contact Group is committed to high standards of information security, privacy and transparency. We place a high priority on protecting and managing data in accordance with accepted standards including Cyber Essentials and ISO27001. Contact Group will be fully compliant with applicable GDPR regulations when they take effect in 2018, including as a data processor, while also working closely with our customers and partners to meet contractual obligations for our procedures, products and services.