What is the General Data Protection Regulation (‘GDPR’)?
It is a major update to the Data Protection Act, designed to protect the personal data of all EU citizens, from the 28 member states, from data breaches and encroachments on privacy. It requires all organizations operating in EU countries to implement and document safeguards, regarding the receiving, processing, handling and storage of personal data.
I’m just a ‘small business’, though - is the GDPR relevant to Teachers and/or Studios?
Yes. If an organization processes the personal data of EU citizens then it is within scope of the GDPR, irrespective of size (noting, small companies and sole traders are not exempt), form (noting, charitable and non-profit organizations are not exempt), office location (noting, organizations outside of the EU are not exempt), etc.
What advice can you provide to Teachers/Studios regarding GDPR compliance?
We can answer questions about how our software and procedures align to GPDR but, regrettably, cannot advise our customers how to implement GDPR for their own companies.
I’ve no idea what to do regarding GDPR for my business, can you please help me?
To understand how to implement GDPR within your business, we would recommend using this free guide: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.
What does the phrase ‘personal data’ mean within the GDPR?
In plain English, this means ANY data that can (directly or indirectly) lead to the identification of a living EU citizen, including but not limited to: name, address, date of birth, post code (zip code), email address, passport number, gender, photographs, phone number, IP address, NI number (SS number), earnings (salary, invoicing), credit card / debit card numbers & security codes, user IDs (e.g. social media, paypal, etc.), CVs (Resumes), calendar/schedule information, and numerous other items. It also includes digital information such as IP addresses, device IDs, browsing history/patterns, cookies and MAC addresses.
If I’m an existing MTH/SH customer, does this automatically mean I’m GDPR compliant?
No. GDPR compliance relates to ALL of the personal data used within your business, not just the small sub-set of personal data entered into our software.
Is data being transferred outside to any ‘Third Countries’?
As we are a US business using Amazon AWS hosting and other US-based third parties, it’s probable elements of data will be transferred to the US.
As a US registered business, is MTH and its related brands registered with the Privacy Shield?
At present, we are considering the Privacy Shield self-certification process, but this certification is not in place as of 23rd May 2018.
Is the Privacy Shield required for data transfer from EU<>US?
No. If a Privacy Shield exists, then this meets the EU’s criteria for a country offering adequate protection by default. This being said, there are certain situations, whereby, even without a Privacy Shield, Personal Data may be transferred to a Third Country (US). These are referred to as Derogations, and these are contained in Article 49 (specifically, points 1.a / 1.b / 1.c).
Of note, regarding transfer to the US, we consider the input of data into our software as being sufficient evidence of Informed Consent being freely given by Teachers/Studios (regarding Teachers/Studio personal data), and having been fully obtained by Teachers/Studios (regarding Parents/Students data, specifically including all necessary parental permissions for children’s data).
If I receive GDPR requests from Parents/Students, can you help answer their questions?
We can answer questions about how our software and procedures align to GPDR but, regrettably, we cannot advise our customers how to fulfil student/parent requests, nor answer student/parent questions ourselves.
Is MTH (as a business) and its software fully compliant with GDPR?
Our principle focus is to uphold all of the core principles (a.k.a. the ‘six fundamental principles’), all of the individual rights of EU citizens (a.k.a the ‘eight rights’), and the other critical components (e.g. informed consent). This being said, the full scope of GDPR is vast; including dozens of rules (99 articles) and guidelines (137 articles). Thus, certain elements are implemented to a commercially reasonable degree; in effect, ‘right-sizing’ them on a proportional basis for a business of our size. You are welcome to send us questions, concerns and formal request to us, and we will respond within the defined timeline(s).
Is there a Data Protection Officer registered for MTH/SH, etc.?
No. Based upon our current operations, we are not required to nominate a DPO. This will be reviewed (at least, once per annum), and we will appoint a DPO if/when it’s required under Article 37.
If there is no DPO, then who do I contact – and, how do I contact them?
The most expedient method would be to email firstname.lastname@example.org or contact us via any of our Services. To help us identify urgent issues as fast as possible, please include ‘GDPR’ in the subject title and/or email text.