The GDPR is the most important change in data privacy regulation in 20 years.
And it takes effect on May 25, 2018.
The EU General Data Protection Regulation (GDPR) is a regulation designed to increase protection around the processing of personal data of EU residents and EU citizens.
I’m sure you will have been on the receiving end of a raft of emails from businesses explaining changes to their data policies. This is due to the GDPR.
The GDPR is changing how businesses and organisations handle people’s data, so it’s important that organisations comply with the new rules.
And for companies that handle information relating to schools, GDPR is important, because it enhances protection for children’s personal data.
The new regulation applies to companies in the EU or any company providing goods or services to EU citizens or residents. So it’s just as important for a school in, say, Argentina, with students from France, to make sure that their policies and service providers comply with the GDPR, as it is for a school in Germany.
In this article we explain what we’re doing to comply with the GDPR before the May 25th deadline
and how that applies to your data, privacy and personal information in relation to our intelligent university and course matching software.
What is the GDPR?
Disclaimer: The contents of this article does not constitute legal advice. This page is for informational purposes only, and we strongly encourage you to seek independent legal advice to understand how your school needs to comply with the GDPR.
The GDPR is the new European data protection law. It updates current data protection regulations, which were put in place back in 1995 – so it’s fair to say the nature of how companies use data has changed a lot since then. The regulation states that “rapid technological developments and globalisation have brought new challenges for protecting personal data… Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of protecting personal data.”
People should be able to control their own data, and rules for protecting data should be “harmonised” across the member states of the EU.
While Brexit will change the UK’s position in relation to the EU companies in the UK will still have to comply because the new regulation applies to companies in the EU or any company providing goods or services to EU citizens or residents.
What kind of data?
Under the new regulation, people will have easier access to the data that companies hold on them, including both personal data and sensitive personal data. Personal data is any piece of information that can identify a person, such as their name or address; sensitive personal data includes information about religious and political views, genetic data, and more. Our contracts with schools provide the lawful basis for BridgeU’s processing of individuals data.
Will BridgeU comply with the GDPR?
Yes. The data protection team at BridgeU have been working for 12 months to comply with the principles and requirements of the EU General Data Protection Regulation (GDPR).
The GDPR applies to ‘data processors’ and ‘data controllers’.
Data controllers: determine the “purposes and means of the processing of personal data” your school, college or other academic institution is the data controller.
Data processors: “process personal data on behalf of the controller”.
Under the GDPR BridgeU is considered a ‘data processor’ and we fully intend to comply with how we process personal information by the May 25, 2018 deadline.
As a general rule, we will hold the personal information provided to us for as long as is necessary to accommodate your use of the platform and the services made available to you via the platform.
BridgeU is committed to helping schools run a smooth and robust university guidance process. A key part of this is making sure that school staff, and student data is secure, and only used for the purposes intended by the owners of that data.
How BridgeU is preparing to comply with the GDPR
We make sure your data is protected by industry-standard processes and that any third parties we transfer your data to also meet these security requirements. This includes utilising various security methods and maintaining the integrity of our online servers and physical infrastructure.
Rights of students, parents and staff
We will uphold the rights of students, staff and parents of our schools as stated in our policy and make sure that the data BridgeU processes will only be used as agreed in our terms. What does the GDPR do?
The GDPR gives EU persons more right and protection regarding their personal data.
For example, the ICO makes note of the following rights of EU Citizens under GDPR.
Right of access: You have the right to obtain confirmation as to whether your personal data are being processed, and, where that is the case, access to such personal data.
Right to Rectification: Right to Rectification: We rely on the Data Controller to ensure that the personal information provided to us for processing is accurate. You should notify your school of any changes to the personal information that you have provided by sending them a request to rectify your personal information.
Right to erasure / ‘Right to be forgotten’: You can request your school to delete all of your personal information. This will result in BridgeU deleting your personal information (unless there is a legitimate and legal reason why BridgeU is unable to delete certain aspects of your personal information, in which case we will inform you of this in writing).
Right to restriction of processing: You have the right to ask your school to stop processing your personal information at any time, although this is likely to result in you no longer being able to use the services made available to you via the Platform.
Right to data portability: You have the right to request that your school provides you with a copy of all of your personal information and require them to transmit your personal information to another data controller in a structured, commonly used and machine-readable format.