On the 25th May 2018, the General Data Protection Regulation (GDPR) comes into effect, and all schools, businesses and other organisations are busy working to ensure that they are compliant.
As an online company, we are both a data controller and a data processor, meaning that we need to get it right first-time and make sure that we do the right thing for our customers, our employees and third parties we work with.
Not only are we getting things in place for the GDPR but have just achieved ISO 27001:2013 accreditation, which is the international best practice standard for information security. The core of ISO is to ensure the ongoing confidentiality, integrity and availability of information. This accreditation has helped us identify our requirements for the GDPR, as well as implementing appropriate data protection policies, procedures and training, and to ensure ongoing review.
Cornerstones protects all information through:
- maintaining security measures for our team members e.g. screening and regular training
- technical security measures e.g. intrusion, detection, firewalls, monitoring
- encryption of personal data
- restricted access to personal data
- protection of our physical premises and hard assets
- a data-loss prevention strategy and regular testing of our security posture.
Like many companies, we’ve been waiting for guidance to be issued by the ICO and EU’s Article 29 Working Party to help us plan and prepare for the GDPR. We recognise we can’t wait until all guidance has been released to implement our changes, so we have been pragmatic in making changes now and will continue to review our implementation with guidance as it becomes available.
So what have we already done for GDPR?
- Updated our Data Protection Policy, Privacy Statement and Terms and Conditions.
- Upgraded our servers to improve the encryption that we use when storing data.
- Moved our CRM system to EU based servers.
- Initiated ongoing monthly training for our staff on the importance of information security and data protection.
- Begun the process of reducing the amount of data we collect and process to the minimum required to provide access to our resources and services.
- Initiated our plans to transfer more access and control to the user over their account.
Giving you the right to manage your details, and the right to be forgotten.
We’re asking all our schools to nominate a Cornerstones Platform Administrator to limit the amount of data sent between your school and Cornerstones.
They’ll have the responsibility for:
- maintaining an up to date list of current users
- creating and managing new users
- immediately disabling each account when users leave the school
- ensuring that all users are aware of the terms of the agreement signed by the school.
To nominate your Cornerstones Platform Administrator, please contact firstname.lastname@example.org or call 03333 20 8000 to speak to our Online Support Team.
Whenever we collect any information from you, or when you register to use Cornerstones Online, you will be given the option to ‘opt-in’ to additional communications. For more information about the data we collect, and what we do with it, please read our Privacy Statement which is available on our website www.csedu.co.uk.
Cornerstones implementation timeline
Our Information Security Group are well on the way to making sure Cornerstones is compliant with the GDPR. We’ve still got a little way to go, but we’re confident we’ll meet the deadline.
- Initial awareness and training – Sept–Dec 2017 ✔
- Comprehensive key staff training – Jan 2018 onwards ✔
- Completion of information asset register – Jan–Feb 2018 ✔
- Risk management approach agreed – Jan–Feb 2018 ✔
- Policies and procedures written and approved – Feb–Mar 2018 ✔
- Terms and conditions and privacy statement updated – March 2018 ✔
- Technical updates to all websites to include user management – March 2018 ✔
- Cyclical training programme for all staff deployed – April 2018 ✔
- ISO27001:2013 accreditation achieved – April 2018 ✔
- Communication to all customers and technical updates launched – April 2018 ✔
- GDPR compliant – May 2018
- Ongoing risk assessment, treatment and review June 2018 onwards
If you have any questions regarding our progress towards becoming GDPR compliant, our ISO27001:2013 accreditation or to nominate your Cornerstones Platform Administrator, please contact our Online Support Team on 03333 20 8000 or email email@example.com.
You can download a copy of our GDPR compliance plan here.