2018 GDPR Compliance
Compliance with General Data Protection Regulation
Protecting the personal data we hold is a priority for Third Space Learning. With the General Data Protection Regulation (GDPR) coming into effect in May 2018, we are making changes to our policies, processes, products and systems to ensure that we comply with GDPR.
We’re also committed to helping Schools meet their requirements under the Regulation.
On 25 May 2018 the General Data Protection Regulation comes into effect across the EU and on the same day, the UK’s Data Protection Bill will pass into law, as the Data Protection Act 2018, effectively implementing the GDPR into UK law.
GDPR and the Data Protection Act 2018 will expand the privacy rights granted to EU data subjects and place greater obligations on organisations who handle personal data of those individuals (data controllers and processors), wherever those organisations are based.
What we’re doing to comply with GDPR
As an organisation that handles personal data including personal sensitive data, Third Space Learning is committed to ensuring that we are compliant with GDPR.
Some of the steps we have taken and are taking include:
- Mapping and documenting data handled by us and our tutor centres including:
- identifying the personal and sensitive data held;
- where the data is stored, how the data is used and with whom the data is shared;
- establishing where the data came from and identifying the legal basis for holding and processing it; and
- reviewing our standard retention periods.
- Analysing GDPR requirements against our current processes and policies and making changes to our products, processes and documentation in line with requirements including:
comply with the requirements of GDPR;
- reviewing and updating our processes of obtaining consent from Schools for the processing of personal data;
- reviewing and updating supplier contracts and Data Transfer Agreements with tutor centres and other third parties to set out each party’s respective responsibilities under GDPR; and
- reviewing how we communicate with schools.
- Undertaking a review of our security measures to ensure systems are robust to identify any potential risks of non-compliance or any weaknesses in our data storage and handling systems;
- Training is being provided to all staff on the requirements of GDPR and Third Space Learning’s data privacy procedures;
- Ensuring that procedures are in place to deal with individual’s enhanced rights under GDPR.
The personal data shared by Schools with us is held on our Platform. The Platform is designed, built and maintained in-house by our Product Development team. The Platform is hosted by Amazon Web Services (please see details of AWS GDPR processes and compliance).
The integrity and security of our Platform is very important to us and we, irrespective of the forthcoming introduction of GDPR, continue to invest resources in improving the Platform. Where relevant to their role, we encourage members of the Product Development team, as part of their CPD, to work towards obtaining an information security qualification. Third Space Learning, as an organisation, will be giving consideration to obtaining ISO 27001 as an independent validation of our procedures.
Our policies and procedures
Our policies and procedures are being updated to ensure compliance with GDPR and a training programme across all staff – not just those who process/access personal data – on GDPR and our data privacy procedures is being rolled out.
We are also reviewing our processes and timing of obtaining School confirmation of the contract and consent to the processing of personal data. Our aim is to ensure that data privacy is a day to day consideration across the business, for all our employees and central to how we work.