What action are you taking to prepare for GDPR?
We have had a GDPR compliance project running since the start of this academic year which, with the benefit of external specialist consultants, aims to ensure that Doublestruck is fully compliant with the GDPR by 25th May 2018.
Are you registered with the Information Commissioner’s Office?
Yes, Doublestruck is ICO registered, registration number: Z8113100
Do you have any information management accreditation?
Not at present. However we expect to have Cyber Essentials accreditation within the next couple of months.
How do you ensure secure storage, erasure and destruction of personal data?
All customer data is stored either in the data centres of industry leading service providers (e.g. Mailchimp) or in our own systems in UK hosted data centres. These third party providers offer secure erasure/destruction services as part of their SLAs.
What technical and organisational security measures do you have in place to protect personal data?
Our systems are hosted by industry leading, fully accredited hosting providers in data centres in the UK. Our systems are built using industry standard approaches and tested for vulnerabilities rigorously by our own team on an ongoing basis as well as on an annual basis by 3rd party security experts.
How secure are your systems?
Based on our most recent penetration and vulnerability tests there are no significant vulnerabilities associated with our systems.
What policies and procedures do you have in place to protect personal data?
Our data protection and acceptable use policies and associated staff training ensure that all staff are aware of their and the company’s obligations to protect any personal data that we hold.
Do we need a new contract that reflects GDPR requirements?
As part of our move to GDPR compliance we will be introducing new terms and conditions that all users of Doublestruck systems will be obliged to agree to. These, along with an updated privacy notice, will address the requirements for GDPR compliance.
Do you have data protection policies and procedures for dealing with any data breaches?
Yes, we have both.
Are data management procedures reviewed regularly?
What data does your organisation hold in relation to our school?
We will hold different data depending on the services that you subscribe to and the choices that you have made about how you use them. Typically we hold the following personal data:
We may hold contact details (name, job title, email, telephone) for school staff based on publicly available information, previous orders or as part of signing up to a demo or competition. We may also hold details of marketing preferences.
We may hold contact details (name, job title, email, telephone) for school staff as well as marketing preferences.
MERiT/Optional Tests subscribers
In addition to school staff contact details we may hold data regarding pupils. The following is mandatory for pupils whose data is uploaded to MERiT:
First name, Surname, UPN, Admission number, gender, date of birth, year group, registration group, teacher name, class name/code, supervisor name
However the following data is optional and if uploaded is used to provide enhanced reports:
Middle name, Ethnicity, Eligibility for free school meals, FSM6, Pupil Premium Indicator, SEN status, in LEA care.
How long will Doublestruck retain data?
Our data retention policy is currently being updated and will shortly be available for you to read as part of our terms and conditions. Essentially this will say that unless requested otherwise we will retain teacher/pupil personal data in a readable format for the remainder of the academic year in which the subscription lapses and for one year afterwards to facilitate re-subscription. Thereafter personal data would be anonymised. However, on request data could be anonymised immediately upon termination of the subscription or any time thereafter.