Veracross Logo

GDPR


General Data Protection Regulation (GDPR)

The GDPR regulates how the personal data of EU residents is collected, processed or used, stored, transferred, and deleted. It is designed to ensure that organizations treat the personal data of “data subjects” - students, parents, employees and other constituents, with care. It is also meant to strengthen the trust between companies that collect and / or process personal data and individuals by strengthening and coordinating data protection across EU member states.

It is scheduled to take effect on 25 May 2018. Veracross has been focused on data privacy and security for many years, and has long acted in compliance with EU regulations, by, among other things, complying with the industry standard security protocols, keeping EU data in the EU, and abiding by the EU-US Safe Harbor and its successor, the EU-U.S. Privacy Shield. We take our role securing personal data very seriously.

As with many companies, we have been updating our policies and procedures to align with the GDPR. We’ve devoted significant time and resources to GDPR and believe we’ve been thorough about its intent and meaning. From the beginning with GDPR, we’ve viewed compliance in two ways:

1) ensure that Veracross meets all requirements as a processor of data and

2) where feasible, provide tools and assistance to our Clients to help them to become compliant in their role as data controller.

We continue to design new functionality that integrates compliance with our best-in-class school information system platform which includes Axiom, our powerful web application that provides elegant and easy to use access to each Client’s fully integrated database. At Veracross, integration is not an afterthought, it is “built-in”.

Frequently Asked Questions about the GDPR:

Note – Answers to the questions below are provided to the best of our knowledge and do not constitute legal advice. Please seek the advice of a competent GDPR attorney to ensure that any material provided below is congruent with your specific business case.

Who does the GDPR apply to?

What are the data protection principles of GDPR?

Is it true that explicit consent must be received in order to collect and process data under the GDPR?

What constitutes personal data?

What about Data Subjects under the age of 16?

What are the penalties for non-compliance?

What is a data protection impact assessment (DPIA) and has Veracross completed one?

How will Veracross applications collect consent and on which modules?

How can personal data be deleted from a Veracross database?

What is the difference between a data processor and a data controller?

What is the difference between a regulation and a directive?

Who does the GDPR apply to?

If you process data about individuals in the context of selling goods or services to citizens in other EU countries or monitor the behavior of those individuals, then you will need to comply with the GDPR, whether or not you have a corporate presence in the EU. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

What are the data protection principles of GDPR?

In 1988 the UK implemented a directive called the Data Protection Act, and the GDPR is essentially built on the same principles (strengthening them in many areas) and adds on additional tenet called “accountability”. The principles are:

  • Lawfulness, fairness and transparency: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject
  • Purpose limitation: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  • Data minimization: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • Accuracy: Personal data shall be accurate and, where necessary, kept up to date
  • Storage Limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
  • Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures Accountability: The controller shall be responsible for, and be able to demonstrate compliance with the GDPR

Is it true that explicit consent must be received in order to collect and process data under the GDPR?

In some cases, yes. However, there are six lawful ways in which you may process data. Each company must decide which legal basis they are relying on for processing personal data for each of their activities, and this must be clearly documented. In addition to processing based on consent, GDPR allows for processing personal data if it is necessary for the performance of a contract, to protect a person’s vital interests, for the performance of tasks carried out in the public interest, to comply legal obligations, in the exercise of a controller’s official authority, or for legitimate interests of a controller.

If consent is required, it cannot be via pre-ticked boxes or other passive methods, rather the consent requires explicit action, like reading how data will be used and checking a box and hitting enter.

What constitutes personal data?

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

What about Data Subjects under the age of 16?

Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent, but this will not be below the age of 13. For Veracross schools, a parent or guardian is granting permission for enabling access to Veracross applications to students.

What are the penalties for non-compliance?

Organizations can be fined up to 4% of annual global revenue for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines, for example a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.

What is a data protection impact assessment (DPIA) and has Veracross completed one?

A DPIA is an assessment of the impact of processing personal data and in particular, special categories of data mentioned in Article 9(1) (e.g. ethnic origin, genetic data, etc.). Companies must assess where there may be a high risk to the rights and freedoms of natural persons due to the processing of the data.

Veracross has completed a DPIA for all categories of personal data, and the report is available to Veracross schools upon request. This will assist schools in meeting their own obligations for a DPIA, however schools should extend the Veracross DPIA so that it includes personal data stored in other systems and databases that the school uses.

How will Veracross applications collect consent and on which modules?

https://modules.veracross.com/article/gdpr-information

How can personal data be deleted from a Veracross database?

https://modules.veracross.com/article/deleting-personal-information-gdpr-related

What is the difference between a data processor and a data controller?

A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller. What is the difference between explicit and unambiguous consent and when does each apply?

The GDPR defines consent as follows: “Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

The conditions for consent have been strengthened, as companies will no longer be able to utilize long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent - meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data - in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.

What is the difference between a regulation and a directive?

A regulation is a binding legislative act. It must be applied across the EU in its entirety, while a directive is a legislative act that sets a goal that all EU countries will achieve but it is up to the individual countries to decide how. The GDPR is a regulation, in contrast to the previous legislation, which is a directive.

Vc Logo Small

401 Edgewater Place

Suite 360

Wakefield, MA 01880

866.492.3463

Vc Logo Small

401 Edgewater Place

Suite 360

Wakefield, MA 01880

866.492.3463