If in doubt regarding a customer GDPR query, point a customer first to the GDPR section of the support hub and second to me (dpo@irisconnect.co.uk)
There are 2 types of data
One main thing to understand is when we talk about data we could be talking about 2 types of data.
1) Customer Data
2) Company Data
Customer Data is held in the Web Platform. This is data the customer uploads, owns and controls. The customer is therefore the Data Controller of this data. IRIS Connect is the Data Processor of this data.
Company Data is held in our internal systems like Podio, Google drive, Gmail, Mail Chimp and Hub Spot. We are the Data Controller of this data.
Task
1) Make sure you are happy with the terms Data Processor and Data Controller
2) Make sure you are happy with the 6 different Lawful Bases for processing
3) What we mean by Personal data This link to the
The ICO's website has all these answers.
Customer Agreements
There are 2 agreements that a customer agrees to:
1) Organisation Administrator & Data Processing Agreement
(we have 2 versions of this. One for UK customers and the rest of the world, and one for EU customers)
The DPA is something that only Organisation Administrators need to agree to. It covers our commitments as Data Processor alongside the responsibilities of the Administrators. In this policy, we are committing to processing the customers' data in line with the requirements of GDPR.
2) EULA (End User Licence Agreement)
The EULA is something that all users on our platform must agree to to use the Web Platform. This really useful to read (or skim) at least once, so you know what it contains.
These documents can be found on the GDPR section of the Support Hub
Personal Data & PII
GDPR is focussed on protecting Personal Data or PII (Personally Idenfitiable Information)
Customer Data
We have to prove to our customers that we will keep their data safe. The steps that we have taken are outlined in our Security Measures and Controls document
Company Data
We have a Privacy Notice that explains to our users (both website and web platform)
- what data we collect
- where we store it
- why we collect it
- for how long it keep
Customers Responsibilities
1) Ensure any sub-processor they use (such as IRIS Connect) is GDPR (or whatever their equivalent data laws are) compliant
We demonstrate our compliance through our policies (on the website), our security measures and our data security certifications (e.g. Cyber Essentials Plus which we have to recertify for each year)
2) Ensure they are GDPR compliant with the data they are collecting, through:
- having a legal/lawful basis for collecting the data
- conducting a Data Protection Impact Assessment (DPIA) if they deem it necessary
- updating their communications to their staff/parents/pupils about the data they are collecting for example by updating their Privacy Notice (for example)
We have made a customer compliance guide which is also on the Support Hub
Woah There!
Woah there indeed: Naughty! Go back and actually read those policies. I know you're trying to skip reading them.
Do I know these things?
- Where to direct a customer with a GDPR enquiry?
- What is the difference between Customer Data and Company Data?
- What 2 agreements do customers agree to
Any questions, ask Simeon!