What is GDPR?
On May 25th 2018 the General Data Protection Regulation (GDPR) (EU) 2016/679 came into force. The GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union and is intended to unify the policies and strengthen the safety and security of all data held within an organisation.
This legislation replaced the Data Protection Act (DPA) and is considered the most significant data protection legislation of the last 20 years. There is a plethora of information about the new legislation available online. The Information Commissioner's Office (ICO) provides a good starting point with its Overview of GDPR.
Satchel is committed to helping deliver outstanding educational support. We have standardised policies and procedures to manage and protect the data that we process on behalf of our schools. Our policies are driven by our significant experience in the education sector - we work with 1 in 3 UK secondary schools - and our existing data protection compliance through our ICO registration.
Satchel has taken the following actions to ensure compliance:
- Improved office security and infrastructure
- Completed GDPR and security audit for Satchel products (including Show My Homework)
- Updated Documentation of policies and procedures
Some of the changes we made to help schools become GDPR compliant include:
- An easy way to get consent from parents.
We no longer import parent data from schools, which would require explicit consent from parents through the school. Instead, we give parents who wish to use our service the chance to sign up themselves where we elicit their consent through our platform.
- An updated GPDR-compliant contract
We have introduced a new contract which outlines both the school's and Satchel’s responsibilities in terms of the new upcoming legislation. This includes an updated GDPR compliant data sharing agreement.
Data controllers and Data processors
The new laws require both Data controllers (such as Schools) and Data processors (such as Satchel) to update their processes and technology to meet the specified requirements.
Schools are the data controllers of staff and pupil-related data. The data controller is the person or organisation who determines what data is extracted, what purpose it is used for and who is allowed to process the data. GDPR increases the responsibility schools have to inform students and parents about how their data is being used and by whom.
Satchel is the Data processor of the staff and pupil data as the school’s learning platform. This is data we are trusted with but do not control. Satchel is the Data controller of parent data, as parents sign up and manage their own accounts directly on our platform.
How does Satchel protect personal data and where is it processed?
Our platform and customer data are stored on approved and compliant cloud infrastructure. Our servers are hosted by Amazon Web Services (AWS) in Ireland to ensure customer data is retained within the European Economic Area (EEA). We use multiple protective layers within the AWS platform to protect our services, including encryption and firewalling. We have completed a full 3rd-party audit.
We store business data within selected cloud platforms, including services like Google Drive and Salesforce. We will only use platforms whose information security practices we approve. These are tools we use to operate our business, for purposes such as billing and invoice information, support cases, and marketing engagement.
All data transfers use SHA256 with RSA (RSA 2048 bits for key exchange) between client browsers and our servers.
Who can access personal data?
Where it is necessary to access customer data, for example to investigate a support case, only approved Satchel support and technical staff can access it. Satchel carries out DBS checking on staff who have personal data access and staff are subject to contractual data access policies.
How are errors in data corrected?
Staff and student personal data is obtained from the Data controller (the School). In the event of an error, school administrators can correct user data such as names and emails. Staff and parents can also change their personal details directly on the platform or contact our support team.
How do I make a Subject Access Request or implement the Right to be Forgotten?
If you wish to make a Subject Access Request and/or Right to be Forgotten request, where applicable, please contact firstname.lastname@example.org
If your school would like further information on GDPR compliance in Satchel products then please contact your account manager.