Welcome to Renaissance Learning’s GDPR Compliance Overview
Updated 22 May, 2018
The overview that follows provides what we at Renaissance Learning (“Renaissance”) hope are helpful insights and information about our General Data Protection Regulation (“GDPR”) compliance efforts and, when relevant, how we can help you meet your GDPR compliance obligations.
The GDPR goes into effect on 25 May, 2018. The GDPR is the European Union’s (“EU”) new data-protection framework. The GDPR builds on the EU’s data protection framework in place since 1995. Renaissance welcomes the GDPR as embodying many of the data-protection philosophies it holds as an organization. The GDPR provides for stricter limits on processing of personal data, significantly expands the rights of EU residents over their data, and provides for increased transparency regarding the use of EU residents’ data. All of this adds up to greater rights privacy rights for individuals in the EU.
Renaissance is committed to GDPR compliance
Beyond Renaissance’s commitment to be in compliance with GDPR by 25 May 2018, navigating GDPR will require cooperation and communication between data controllers, processors, and data subjects. We have carefully examined the provisions of the GDPR applicable to Renaissance and our applications, and we are closely tracking applicable GDPR guidance issued by regulatory authorities. This will allow us to have the tools that will allow school administrators, students and their parents to be able to enjoy a GDPR-compliant use of Renaissance’s applications.
As a regulation instead of a directive, the GDPR becomes enforceable as law in all EU member states and aims to harmonize the separate member state implementations of data protection laws, streamlining compliance by providing a single set of principles to follow. While there are a great number of resources available regarding GDPR, we recommend governmental resources. To that end and for a more detailed overview, please see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.
Renaissance’s GDPR Compliance Journey
Renaissance understands that handling your data requires trust, and we have long been committed to maintaining that trust. We, like many of our customers, have been actively preparing for the GDPR for quite some time and started from a strong position on data security and data processing. What follows is an overview of the steps we have taken to be ready for the GDPR.
Our GDPR compliance journey started by gathering a team of experts within the company from legal, information security, product engineering, marketing, and sales – both in the EU and the United States – to specifically address the GDPR’s new requirements. We then appointed a Data Protection Officer to oversee Renaissance’s GDPR compliance program.
Then, over the next several months, Renaissance underwent a comprehensive, detailed analysis of our data handling and security practices. We then took our findings and laid them against the GDPR’s requirements and current guidance from the relevant regulators to assess whether they met the requirements or whether further attention may be required.
Since completing that analysis, we have updated a number of internal procedures and revised our customer-facing policies and notices. You can find our revised privacy policies, for both the website and our applications, here. Additionally, customers will be receiving a data processing addendum that formalizes our commitment, as your data processor, to comply with the GDPR’s requirements. Those addendums will be emailed out to customers in batches starting on 8 May and continuing through the 18th of May. If you are an existing customer and have not received or are having trouble locating our email with the GDPR-ready contract addendum and would like one immediately, please download and sign the agreement at this link and email the signed document to firstname.lastname@example.org.
At the end of this journey will be Renaissance Learning’s commitment to be ready for GDPR’s requirements and to continue to work with our customers to ensure they have the information they need to be ready as well.
Frequently Asked Questions about Personal Data
What is Personal Data?
The GDPR defines Personal Data broadly to include any of the following information relating to an identified or identifiable person. There is no distinction between a person’s private, public, or work roles. Personal data can include:
- Home address
- Work address
- Telephone number
- Mobile number
- Email address
- Passport number
- National ID card
- National Insurance Number (or equivalent)
- Driver’s license
- Physical, physiological, or genetic information
- Medical information
- Cultural identity
- Social media posts
- IP address (EU region)
- Location / GPS data
How long does Renaissance Learning maintain our Personal Data?
Our GDPR-compliant data retention policies are set forth in the respective privacy policies.
Where is Personal Data stored?
Personal Data collected in the context of our applications is stored in our secure servers in the United States. It is important to remember that the GDPR does not contain any obligation to store information only in Europe. However, transfers of European personal data outside the European Economic Area (“EEA”) generally require that a valid transfer mechanism be in place to protect the data once it leaves the EEA (See Chapter V, Articles 44-50). Renaissance Learning is GDPR ready by adhering to the EU-US Privacy Shield Framework and other mechanisms.
EU – U.S. Privacy Shield
Renaissance participates in and complies with the EU-U.S. Privacy Shield Framework (the “Framework”). That means, that in addition to the GDPR strictures, Renaissance has certified that it adheres to the Privacy Shield Principles of Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement and Liability. To learn more about the Privacy Shield Framework, visit www.privacyshield.gov. To view our certification, visit the U.S. Department of Commerce’s Privacy Shield List. If you have questions about our participation in the Privacy Shield program or have a complaint, please send an email to email@example.com.
Other GDPR FAQs
|Key Requirements||Brief Description and Renaissance Learning’s Position|
|Data Protection by Design and Default||Controllers (schools) and Processors (Renaissance) must incorporate data protection into new products and services that involve processing of personal data and consider data protection issues in all business decisions. Renaissance Learning does and will adhere to this principle.|
|Lawfulness of Processing||Processing must be based on one of a number of different lawful bases, such as consent, performance of a contract, legal obligation, protection of vital interests, tasks carried out in the public interest, or legitimate interest balanced against the fundamental rights of data subjects. Where Renaissance Learning is the processor, it defers to its customers to provide the lawful basis for collection and processing as the data controllers under the GDPR.|
|Conditions for Consent||In those situations where consent is required, consent must be freely given, specific, informed and unambiguous. Where Renaissance Learning is the processor, it defers to its customers as the data controllers under the GDPR for securing any required consents. Further details regarding consent can be found in the agreements between you and Renaissance Learning.|
|Security of Processing||Keeping Personal Data secure is important, and the GDPR requires that Controllers and Processors implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Renaissance Learning takes the security of the Personal Data it processes seriously and follows the leading industry standards for data security. Further details can be provided upon request.|
|Data Subject Rights & Information||Articles 13 & 14 of the GDPR set forth requirements related to Data Subjects’ Rights. Renaissance Learning is equipped to assist its customers with their obligations with these new Data Subject Rights.|
|Data Protection Impact Assessments||Where a particular type of processing is likely to result in a high risk to the rights and freedoms of natural persons, Controllers must carry out assessments of the impact of the envisaged processing operations on the protection of personal data prior to the processing of the Personal Data. Renaissance Learning will assist its customers — the Data Controllers — in the event they determine that a DPIA is required.|
|Data Protection Officer||Where a Controller’s and Processor’s core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or the large-scale processing of special categories of data must appoint a Data Protection Officer. Renaissance Learning has appointed a Data Protection Officer, who can be reached at firstname.lastname@example.org” with any questions. Additional contact information can be provided upon request.|
|Controller-Processor Relationships||Binding contracts that set forth the terms of process to be performed and provide Controllers the right to object to Sub-Processors engaged by the Processors are required between Controllers and Processors. If you are an existing customer, by 22nd May 2018, you or someone in your organization should have received a data processing addendum to execute, but if not, please contact email@example.com. New customers will have the processing-related contract requirements embedded in their terms of service.|
|Data Breach Reporting||The GDPR imposes new requirements related to breach notifications. The GDPR requires that, where feasible, the Controller shall notify the relevant Supervisory Authority within 72 hours after becoming aware of a breach involving Personal Data. If there is a likely high risk to the rights and freedoms of natural persons, the affected data subjects will be notified without undue delay. Renaissance Learning is ready for its obligations here as well, in the unlikely and unfortunate event it is necessary. We will also assist its customers in complying with their obligations related to data breach notification.|
If you are an existing customer and have not received or are having trouble locating our email with the GDPR-ready contract addendum and would like one immediately, please download and sign the agreement at this link and email the signed document to firstname.lastname@example.org.