As a client of Technolutions, we want to assure you that the privacy and security of your data is our highest priority. Below is our statement of assurance to you regarding our commitment to GDPR compliance:
To adhere to the GDPR requirement that a data controller (our Client) appoints the processor (Technolutions) in the form of a written agreement, we have prepared a Data Processing Addendum for our clients to use. This will ensure that relevant requirements are in place to address issues such as the type of personal data involved and the nature and purpose of your disclosure of such personal data to us.
In the event Client is a "controller" or "processor" as defined by the European Union General Data Protection Regulation 2016/679 (the "GDPR"), Client shall execute Provider's Data Processing Addendum prior to commencing use of the Services. Client acknowledges and agrees that it is solely responsible for determination of its status pursuant to the GDPR and any requirement of it to enter into the Data Processing Addendum.
The Data Processing Addendum (US-based customers, EU-based customers) has already been signed by Technolutions, and the countersigned agreement may be returned to firstname.lastname@example.org. The Data Processing Addendum can also be downloaded from the attachments section at the end of this article.
GDPR grants individuals certain rights with respect to their personal data. Technolutions has developed processes for ensuring that these rights are fulfilled, including with respect to:
- Handling requests for access to personal data and corrections to data;
- Obtaining consent;
- Managing requests to restrict processing;
- Objections to direct marketing;
- The right to be "forgotten" and the deletion/destruction of personal data; and
- Responding to personal data portability requests.
Technolutions has implemented a robust data security program. GDPR requires us to notify you of data breaches without undue delay. Technolutions has processes and procedures in place for identifying, investigating, and promptly reporting data breaches to our clients. In the unlikely event a data breach were to occur, we will provide you with the information and support you need to fulfill your legal obligations.
What is the GDPR?
The GDPR is a holistic set of data privacy requirements that addresses the life cycle of collection, use and disclosure of the "personal data" of European Union ("EU") residents.
What is "personal data"?
Personal data is any information relating to an identified or identifiable person. An identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as email address, location, or an online identifier like IP address.
When does the GDPR take effect?
May 25, 2018.
How does an organization become subject to the GDPR?
Generally speaking, organizations may become subject to the GDPR in one of two ways: (i) by having an "establishment" in the EU, and/or (ii) by processing the personal data of EU residents. Each of these is explored further in the below FAQs.
How might an organization have an "establishment" in the EU?
An organization may be located in an EU country, or may have a satellite campus, research center or study abroad facility in an EU country. It may also employ admissions or recruitment staff in the EU or maintain an office there.
How might an organization process the personal data of EU residents?
Organizations based in an EU country will process the personal data of its EU resident employees, students and faculty members. In addition, clients not based in an EU country may process the personal data of EU residents through, for example, receiving applications for admissions from EU residents, seeking donations from alumni or friends living in the EU, or hosting study abroad students from the EU at your institution.
What is a "data controller"?
A "data controller" is the organization that controls how the personal data of EU residents is used, disclosed or otherwise processed. Generally, if you are the owner of the data, you are the data controller. If subject to GDPR, most organizations will be “data controllers” under the law.
What is a "data processor"?
A data processor is an organization that uses or maintains the personal data of EU residents to perform a service for or on behalf of a data controller. Said another way, when a data controller gives the personal data of EU residents to a vendor to store, analyze or use as part of a contract, that vendor becomes the "data processor."
How will I know if my organization is subject to the GDPR?
Many organizations have determined that they are subject to the GDPR. The basis for the determination varies by institution - some may operate a satellite campus in the EU, others operate study abroad programs there and still others may employ staff in the EU, such as recruitment or development staff. We encourage our clients to work with their legal counsel to determine if and how their institution should comply with the GDPR.
My organization is outside the European Union. Do I really need to worry about this law?
The GDPR purports to apply to any organization, anywhere in the world, which has an establishment in the EU or which processes the personal data of EU residents.
That said, we recognize that each of our clients is unique, and thus have different degrees of operations in the EU and exposure to the personal data of EU residents. We encourage our clients to work with their legal counsel to determine the most appropriate path forward for your institution. Once you do, we will be ready to support you.
My institution may enroll one or more European Union citizens, but we don't have any operations or activities in the European Union. Are we subject to GDPR?
Determining whether GDPR applies to your institution is no easy task, and we encourage you to work with your counsel to evaluate your institution's particular situation. However, we have some general advice to assist you in evaluating your obligations.
Generally speaking, GDPR applies to two types of institutions: (i) those established in the European Union (i.e. consistent and ongoing activity in the European Union); and (ii) those not established in the European Union (i.e. institutions operating exclusively in the United States, Canada, etc.) which process the personal data of individuals located in the European Union in connection with offering those individuals goods or services.
The GDPR's application is not citizenship-based. This means that the law would not apply to a U.S.-based institution solely because the institution interacts with or collects the data of a European Union citizen located in the United States (e.g., an institution in the United States, with no establishment in the European Union, which enrolls a United States resident with European Union citizenship).
Is Technolutions a "data processor"?
Yes. When a "data controller" client uses a Technolutions product, such as Slate for Advancement or Slate for Admissions, Technolutions acts as the client's "data processor."
What does the GDPR say about sending the personal data of EU residents to "data processors" such as Technolutions?
Under the GDPR, whenever a data controller engages a data processor, the data controller needs to have a written contract in place. The contract must include several key terms required by the GDPR, including requiring the data processor to act only on the written instructions of the data controller and ensure that the data processor’s employees are subject to a duty of confidence.
Technolutions has prepared a Data Processing Addendum for our clients to use to fulfill this requirement. See Assurance of Compliance for more information.
Will Technolutions be GDPR-compliant when the GDPR comes into effect?
Yes. We take the privacy and security of our clients’ data very seriously and have been working with a team of professionals to ensure that our products and processes are GDPR compliant. When GDPR comes into effect, we will be ready.
Right to be informed
After May 25, 2018, organizations may be required to obtain an EU resident's consent prior to collecting their personal data. When doing so, the consent must, among other things, spell out clearly the purpose of collecting their data, how long the organization will retain it, and with whom the organization will share it.
When collecting consent, privacy information should be provided at that time. If an organization obtains personal data indirectly from third parties, the organization may need to provide privacy information to each individual within a month of receiving and processing that data.
If an organization determines that it is necessary to collect consent, an organization can enable a "Form Consent" feature in Slate, which will insert an interstitial popup in between clicking "Submit" on a form and the submission of that form and its data to obtain the necessary consent. There is also a "Ping Consent" feature that will insert an interstitial popup on a first page load on a site using Ping. This tool provides a straightforward and consistent method to capture consent and to disclose their privacy policies. Organizations may also determine that they can use "legitimate interest" as their lawful basis. These determinations should be made in consultation with an organization's legal counsel, and such guidance may evolve over time.
- Access the Configuration Keys tool under the Database section
- Add keys for "Privacy and Data Protection - Form Consent Text" and "Privacy and Data Protection - Ping Consent Text" with a text representation of your privacy policies.
- Add keys for "Privacy and Data Protection - Form Consent Countries" and "Privacy and Data Protection - Ping Consent Countries" with a comma-separated list of the Slate country codes for which consent should be obtained.
- To apply to all countries, enter ALL
- To apply to all EU/EEA countries, enter EEA
- To apply to EU/EEA and specific other countries, such as a Canada (CA), enter EEA,CA
This tool can be configured already and will become active shortly prior to May 25, 2018.
Right to erasure or "right to be forgotten"
An EU resident will be able to request that their personal data be erased. Slate provides tools to anonymize an individual's data, removing any personally identifiable information.
Refer to our GDPR guide on data anonymization for more detail, and for further considerations on the need for an anonymization process.
Right to data portability
EU residents will have a right to obtain the personal data that they have provided to you and re-use it elsewhere. In Slate, you will need to export their data in a format that they can use, for example, as a spreadsheet.
Right of access
EU residents will have the right to access their personal data that was provided to you and to receive a confirmation from you that you are processing this data.
The easiest way to do this in Slate is to give them a copy of their data by exporting it in a common format, such as a spreadsheet.
Right to rectification
EU residents will be entitled to request that inaccurate personal data be rectified. When you receive such a request, the simplest route is to update their record in Slate.
Right to restrict processing
An individual resident in the EU can, after May 25, request to have the processing of their data temporarily restricted. This means that you can continue to store it, but that you must stop using it for now.
The current recommendation is to add and set a "Restrict Processing" tag in addition to an "Opt Out Tag" to achieve the goals of this restriction. This recommendation may evolve further with time.
Right to object
An individual living in the EU will be able to object to their data being processed for certain purposes such as direct marketing. In Slate, you can set an Opt Out tag for a person to cease all further communications.
Rights related to automated decision making including profiling
Under the GDPR, there are restrictions on automated decision making and profiling of individuals. Automated, in this case, means without any human involvement whatsoever, for example, to make a decision on a loan or predict their behavior. If you are performing such work, you should become familiar with these restrictions.
See "Restrict processing" section above for tool details.
Ping records web accesses and associates this access history with users. As Ping records data that under the GDPR is classified as personally identifiable, EU residents must explicitly consent to Ping being used. Technolutions has enhanced Ping with a consent pop-up that will appear for users from the EU , based on IP address. In addition, if a user refuses consent, Ping will stop tracking that user.
See "Consent" section above for tool details.
For those of our clients seeking additional information about GDPR and its requirements, you may find the following websites useful. Please note that these links are to third-party sites not hosted by or affiliated with Technolutions.
- Guide to the General Data Protection Regulation (GDPR), a website sponsored by the Information Commissioner's Office, the United Kingdom’s independent authority set up to uphold information rights.
- GDPR, a website sponsored by Ireland's Data Protection Commissioner.
- Data Protection, a website sponsored by the European Commission, which includes links to the full text of the GDPR.
If you have specific additional questions, you may submit a request to the Service Desk category Security/Permissions and it will be routed to our IT and legal teams within Technolutions.
The information provided by Technolutions is for general guidance and informational purposes only. It should not be taken for, nor is it intended as, legal advice. We emphasize that there is no substitute for organizations making their own detailed investigations or seeking their own legal advice if they are unsure about the implications of the GDPR on their organizations. While we have made every effort to ensure that the information provided to you is correct and up to date, Technolutions makes no promises as to completeness, and the information is delivered on an "as is" basis without any warranties, express or implied. Technolutions will not accept any liability for errors or omissions and will not be liable for any damage arising from the use of or reliance on this information or information made available through third party websites, or from any action or decisions taken as a result of using this information or the information made available through third party websites.