The GDPR applies to data 'controllers' and data 'processors'. As a school, you are the Data Controller in respect of the personal data you store on Insight. As a Data Controller, it is your responsibility to ensure compliance with data protection laws and to ensure that your contracts with any data processors comply with the GDPR.
Equin Limited, the company providing Insight, is the Data Processor in respect of the personal data you store on Insight. We are responsible for processing personal data on your behalf and are required to maintain records of personal data and processing activities, as well as making sure your data is securely protected.
Preparing Insight for GDPR
We've always taken data protection and security very seriously, so we're not having to make many changes behind the scenes to ensure our compliance with GDPR. Your data is already stored securely as detailed in our Privacy Notice. Our Terms of Service detail our contractual relationship.
Here's what you can expect in the coming weeks:
- ✅ Updated Terms and Conditions. Under GDPR, any processing of personal data, by a Processor (that's us), should be governed by a contract or terms and conditions with certain provisions included. We've therefore drawn up new Terms of Service, in consultation with our legal advisers, which guarantee you the right protections and controls over your data. Your school will be asked to formally agree these terms when renewing for 2018-19 and you can view them here.
- ✅ Updated Privacy Notice. We've also updated our Privacy Notice to make available more detailed information on what personal data we store, why we store it, and how long for.
- Updated Security Information. The Terms of Service and Privacy Notice will provide the information you need to be able to decide whether you're happy using Insight as a data processor going forwards. Over the longer term, we intend to go further in making available general information on our data security procedures and policies.
Preparing your school for GDPR
The ICO will be responsible for enforcing the GDPR. It's worth taking a look at their introduction, along with their 12 steps to take now. The Information Commissioner's myth busting articles are also useful.