GDPR is new legislation covering the use of personal data and becomes law on the 25th May 2018. GDPR requires business who use personal data to adhere to a number of principles that help maintain security of personal data and ensure greater visibility and control.

More information on GDPR is available from the information commissioner’s office by clicking here.

ParentMail along with the other businesses in the IRIS group have been working to ensure that the way we handle and process your data is compliant in advance of the deadline.


ParentMail’s Responsibilities

GDPR requires ParentMail to adhere to a number of key principles with regards to your data and you can be assured that we take these responsibilities extremely seriously.

As part of our commitment to GDPR we make the following promises to our customers and partners;

  • We will only manage data where we have an explicit agreement with the data controller
  • We will only retain data for as long as we have a processing agreement with the controller or need to do so with the data subject
  • All data used in our systems is encrypted when at rest (stored) and whilst in transit (when accessed using a browser or the ParentMail app)
  • We train our staff in the proper handling of personal data and maintaining confidentiality at all times
  • We will review and update our internal processes and safeguards around data handling
  • We will work where necessary to support the Data Controller in supporting the rights of the data subject

To support our GDPR responsibilities and promises we have completed the following actions:

  • Updated our agreements with schools to include the required GDPR clauses and generally updated to reflect the way our services are delivered – see downloads section
  • Updated our software where required to support the new legislation – See below
  • Audited the data we hold, and risk assessed where and how it is held
  • Formalised our GDPR Statement, based on IRIS Group policies
  • Trained all our staff on their legal responsibilities and duties – this is ongoing
  • Updated our third-party suppliers, where required, to ensure that personal data is held within the EEA
  • Reviewed and updated our data retention policy
  • Provided tools to assist the Data Controller in fulfilling their obligations to the Data subjects


School responsibilities

GDPR is a partnership between the school (Data Controller) and ParentMail (The Data Processor) and as such imposes principles and requirements on both parties. In engaging with ParentMail the Data Controller ’Schools/Clubs etc. Users of the ParentMail service, must;

  • Ensure that data imported or created in ParentMail is covered by demonstrable/documented evidence of consent from the data subject (Parent/Staff member etc.) for their data to be shared with a processor
  • Act swiftly to remove any parent data from all processing platforms where consent has been withdrawn
  • Update school MIS systems promptly and remove pupil and parent details from processing systems as soon as child leaves school
  • Manage all requests from the data subject directly


Software updates completed to ensure GDPR compliance

In order to ensure GDPR compliance, below is a summary of the updates made to the ParentMail software and processes;

  • Added automatic deletion of personal data where no active connection to a school or club exists
  • Updated BACS settlement email that now delivers links to settlement information instead of sending via file attachment
  • Creation of SAR templates from within the ParentMail system for Data Controllers to use when receiving SAR’s


Useful documents – Download area

ParentMail is part of the IRIS Software group, IRIS Security policy document is available below;

IRIS Software group Security policy update – Click here to download

Data protection statement – Click here to download

ParentMail privacy policy – We’re still working on this. Please check back later to see our updated terms and conditions.

Updated ParentMail terms and conditions – We’re still working on this. Please check back later to see our updated terms and conditions.

ParentMail GDPR and Data protection overview – Click here to download

Data Processing Agreement – We have prepared a downloadable Data Processing Agreement for customers to use and this can be downloaded by clicking here