GDPR is the new legislation covering the use of personal data that become law on the 25th May 2018. GDPR requires business who use personal data to adhere to a number of principles that help maintain security of personal data and ensure greater visibility and control.
- 123Comms Limited – ParentMail, is meeting the requirements of GDPR.
More information on GDPR is available from the information commissioner’s office by clicking here.
ParentMail along with the other businesses in the IRIS group have been working to ensure that the way we handle and process your data is compliant.
GDPR requires ParentMail to adhere to a number of key principles with regards to your data and you can be assured that we take these responsibilities extremely seriously.
As part of our commitment to GDPR we make the following promises to our customers and partners;
- We will only manage data where we have a clear agreement with the data controller
- We will only retain data for as long as we have a processing agreement with the controller or need to do so with the data subject
- All data used in our systems is encrypted when at rest (stored) and whilst in transit (when accessed using a browser or the ParentMail app)
- We train our staff in the proper handling of personal data and maintaining confidentiality at all times
- We will review and update our internal processes and safeguards around data handling
- We will work where necessary to support the Data Controller in supporting the rights of the data subject
- Not to transfer or process data outside of the EEA
To support our GDPR responsibilities and promises we have completed the following actions;
- Updated our agreements with schools to include the required GDPR clauses and generally updated to reflect the way our services are delivered – see downloads section
- Updated our software where required to support the new legislation – See below
- Audited the data we hold, and risk assessed where and how it is held
- Formalised our GDPR Statement, based on IRIS Group policies
- Trained all our staff on their legal responsibilities and duties – this is ongoing
- Updated our third-party suppliers, where required, to ensure that personal data is held within the EEA
- Reviewed and updated our data retention policy
- Provided tools to assist the Data Controller in fulfilling their obligations to the Data subjects such as automatic SAR information retrieval
GDPR is a partnership between the school (Data Controller) and ParentMail (The Data Processor) and as such imposes principles and requirements on both parties. In engaging with ParentMail the Data Controller ’Schools/Clubs etc. Users of the ParentMail service, must;
- Ensure that we have a specific data processing/sharing agreement with our customers
- Report any suspected data breaches to ParentMail as well as those listed in their breach procedures
- Update school MIS systems promptly with new or updated pupil and parent details
- Manage all requests from the data subject directly
Software updates completed to ensure GDPR compliance
In order to ensure GDPR compliance, below is a summary of the updates made to the ParentMail software and processes;
- Added automatic deletion of personal data where no active connection to a school or club exists
- Updated BACS settlement email that now delivers links to settlement information instead of sending via file attachment
- Creation of SAR templates from within the ParentMail system for Data Controllers to use when processing SAR’s
Useful documents – Download area
ParentMail is part of the IRIS Software group, IRIS Security policy document is available below;
IRIS Software group Security policy update – Click here to download
Data protection statement – Click here to download
Software Licence Agreement – Click here to download
ParentMail GDPR and Data protection overview – Click here to download
Data Processing Agreement – We have prepared a downloadable Data Processing Agreement for customers to use and this can be downloaded by clicking here