What is GDPR?
On May 25th 2018 the General Data Protection Regulation (GDPR) (EU) 2016/679 came into force. The GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union and aimed to unify the policies and strengthen the safety and security of all data held within an organisation.
This legislation replaced the existing Data Protection Act (DPA) and is considered the most significant data protection legislation of the last 20 years. There is a plethora of information about the new legislation available online. The Information Commissioner's Office (ICO) provides a good starting point with its Overview of GDPR.
EduKit is committed to helping schools, youth providers and others to improve educational outcomes for children and young adults. We have standardised policies and procedures to manage and protect the data that we process on behalf of our schools. We are committed providing secure and transparent support for schools and as such data security and compliance is of paramount importance to us. Our systems and processes are fully GDPR compliant.
In order to achieve compliance, we focused on 2 workstreams:
- A GDPR and security audit of EduKit products (i.e. EduKit Connect, EduKit Insight and EduKit marketing activities)
- Updated documentation of policies and procedures
Some of the changes we made to become GDPR compliant include:
- Updated EduKit Insight Terms and Conditions
Data controllers and Data processors
The new laws require both Data controllers (such as Schools) and Data processors (such as EduKit) to update their processes and technology to meet the specified requirements.
Schools are the data controllers of staff and pupil-related data. The data controller is the person or organisation who determines what data is extracted, what purpose it is used for and who is allowed to process the data. GDPR increases the responsibility schools have to inform students and parents about how their data is being used and by whom.
EduKit is the Data processor of the staff and pupil data. This is data we are trusted with but do not control. However EduKit has the right to aggregate and anonymise data to help to achieve our social mission of tackling educational disadvantage. Please note that this data, used for research purposes, is fully anonymised and as such is no longer attributable to specific students or schools.
How does EduKit protect personal data and where is it processed?
Our platform and customer data are stored on compliant cloud infrastructure. Our servers are hosted by Amazon Web Services (AWS) in Ireland to ensure customer data is retained within the European Economic Area (EEA). We use multiple protective layers within the AWS platform to protect our services, including encryption and firewalling. We have completed a full 3rd-party audit.
We store business data within selected cloud platforms, including services like Google Drive, JotForm and HubSpot CRM. We will only use platforms whose information security practices we approve. These are tools we use to operate our business, for purposes such as billing and invoice information, support cases, and marketing engagement.
Our Data Protection Officer (DPO) is qualified lawyer with expertise in GDPR matters.
Who can access personal data?
Where it is necessary to access customer data, for example to investigate a support case, only approved EduKit support and technical staff can access it.
How do I make a Subject Access Request or implement the Right to be Forgotten?
If you wish to make a Subject Access Request and/or Right to be Forgotten request, where applicable, please contact firstname.lastname@example.org.
If your school would like further information on GDPR compliance in EduKit products then please contact your account manager.