fbpx

Welcome to Renaissance Learning’s GDPR Compliance & Brexit Overview

Updated: 11 March, 2019

The overview that follows provides what we at Renaissance Learning and myON by Renaissance (collectively, “Renaissance”) hope are helpful insights and information about our General Data Protection Regulation (“GDPR”) compliance efforts and, when relevant, how we can help you meet your GDPR compliance obligations. We also address the potential implications of the United Kingdom’s (“UK”) decision to leave the European Union on or after 29 March 2019 (“Brexit”).

The GDPR went into effect on 25 May, 2018. The GDPR is the European Union’s (“EU”) new data-protection framework. The GDPR builds on the EU’s data protection framework in place since 1995. Renaissance welcomed the GDPR as embodying many of the data-protection philosophies it holds as an organization. The GDPR provides for stricter limits on processing of personal data, significantly expands the rights of EU residents over their data, and provides for increased transparency regarding the use of EU residents’ data. All of this adds up to greater rights privacy rights for individuals in the EU.

Brexit will have some impact on all companies operating in or from the UK. Renaissance has been following Brexit closely and the implications for our business and for our customers. Renaissance has been working hard to ensure we will be able to continue the smooth flow of personal data between and among, where relevant, the EU, UK, and United States. Renaissance has contingencies in place for each potential outcome: a “no deal” Brexit or a “deal” Brexit. Finally, Renaissance is committed to complying with whatever data protection law the UK enacts to mirror the protections of the GDPR post Brexit.

If after reading this and Renaissance Learning’s privacy policy you still have questions, please contact our Data Protection Officer at privacy@renaissance.com.

Renaissance is committed to GDPR compliance

Beyond Renaissance’s commitment to the GDPR, navigating the GDPR requires cooperation and communication between data controllers, processors, and data subjects. We have carefully examined the provisions of the GDPR applicable to Renaissance and our applications, and we are closely tracking applicable GDPR guidance issued by regulatory authorities. This allows us to give school administrators, students and their parents the tools necessary to be able to enjoy a GDPR-compliant use of Renaissance’s applications.

GDPR overview

As a regulation instead of a directive, the GDPR is enforceable as law in all EU member states and aims to harmonize the separate member state implementations of data protection laws, streamlining compliance by providing a single set of principles to follow. While there are a great number of resources available regarding GDPR, we recommend governmental resources. To that end and for a more detailed overview, please see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ or https://www.dataprotection.ie/en/dpc-guidance.

Renaissance’s GDPR Compliance Journey

Renaissance understands that handling your data requires trust, and we have long been committed to maintaining that trust. We, like many of our customers, started from a strong position on data security and data processing and adjusted to the GDPR. What follows is an overview of just some of the steps we took to be ready for the GDPR.

Our GDPR compliance journey started by gathering a team of experts within the company from legal, information security, product engineering, marketing, and sales – both in the United Kingdom and the United States – to specifically address the GDPR’s new requirements. We then appointed a Data Protection Officer to oversee Renaissance’s GDPR compliance program.

Then, over the next several months, Renaissance underwent a comprehensive, detailed analysis of our data handling and security practices. We then took our findings and laid them against the GDPR’s requirements and current guidance from the relevant regulators to assess whether they met the requirements or whether further attention may be required.

Since completing that analysis, we have updated a internal procedures and revised our customer-facing policies and notices. Here is our revised privacy policies document, for both the website and our applications.

You have Renaissance Learning’s commitment to operate within the GDPR’s requirements and to continue to work with our customers to ensure they have the information they need to be ready as well.

Frequently Asked Questions about Personal Data

What is Personal Data?

The GDPR defines Personal Data broadly to include any of the following information relating to an identified or identifiable person. There is no distinction between a person’s private, public, or work roles. Personal data can include:

Identity

  • Name
  • Home address
  • Work address
  • Telephone number
  • Mobile number
  • Email address
  • Passport number
  • National ID card
  • National Insurance Number (or equivalent)
  • Driver’s license
  • Physical, physiological, or genetic information
  • Medical information
  • Cultural identity

Online Artefacts

  • Social media posts
  • IP address (EU region)
  • Location / GPS data
  • Cookies

It is important to note that Renaissance does not process all of these types of Personal Data in the context of our applications, and the list of processed Personal Data may vary slightly from school to school. Please refer to your parameters set at implementation for the definitive list. Our website privacy policy discloses the type of online artefacts that we may collect and the conditions surrounding that collection. However, Renaissance’s policy is only to collect data absolutely necessary for our products to work or that our customers request we process.

How long does Renaissance Learning maintain our Personal data?

Our GDPR data retention policies are set forth in the respective privacy policies.

Where is Personal data stored?

Personal data collected in the context of our Renaissance applications is stored in our secure servers in the United States. It is important to remember that the GDPR does not contain any obligation to store information only in Europe. However, transfers of European personal data outside the European Economic Area (“EEA”) generally require that a valid transfer mechanism be in place to protect the data once it leaves the EEA (See Chapter V, Articles 44-50). Renaissance Learning is GDPR ready by adhering to the EU-US Privacy Shield Framework and other mechanisms.

Personal data collected in the context of myON products is stored on an Amazon Web Services (“AWS”) server in the United Kingdom, but is accessed by our research and product teams in the United States. As a result, we treat AWS-housed data Personal Data as if it was transferred to the United States and on this issue comply with the EU-US Privacy Shield Framework and other relevant mechanisms.

EU – U.S. Privacy Shield
Renaissance Learning (including myON) participates in and complies with the EU-U.S. Privacy Shield Framework (the “Framework”). That means, that in addition to the GDPR strictures, Renaissance has certified that it adheres to the Privacy Shield Principles of Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement and Liability. To learn more about the Privacy Shield Framework, visit www.privacyshield.gov. To view our certification, visit the U.S. Department of Commerce’s Privacy Shield List. If you have questions about our participation in the Privacy Shield program or have a complaint, please send an email to privacy@renaissance.com.

Other GDPR FAQs

For some companies, the GDPR will change the way data is collected, as well as how those companies obtain, document, and manage the legal basis for processing. Below is an overview of some of the key GDPR requirements and how Renaissance address them, where applicable. Please note that other questions, such as school control of data, what information Renaissance collects, how that data is used, and how in limited circumstances Renaissance may share that information are addressed in our application privacy policy, found at: http://www.renlearn.co.uk/privacy. As always, if you have any questions, please do not hesitate to contact our Data Protection Officer at privacy@renaissance.com.

Key Requirements Brief Description and Renaissance Learning’s Position
Data Protection by Design and Default Controllers (schools) and Processors (Renaissance) must incorporate data protection into new products and services that involve processing of personal data and consider data protection issues in all business decisions. Renaissance Learning does and will adhere to this principle.
Lawfulness of Processing Processing must be based on one of a number of different lawful bases, such as consent, performance of a contract, legal obligation, protection of vital interests, tasks carried out in the public interest, or legitimate interest balanced against the fundamental rights of data subjects. Where Renaissance Learning is the processor, it defers to its customers to provide the lawful basis for collection and processing as the data controllers under the GDPR.
Conditions for Consent In those situations where consent is required, consent must be freely given, specific, informed and unambiguous. Where Renaissance Learning is the processor, it defers to its customers as the data controllers under the GDPR for securing any required consents. Further details regarding consent can be found in the agreements between you and Renaissance Learning.
Security of Processing Keeping Personal Data secure is important, and the GDPR requires that Controllers and Processors implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Renaissance Learning takes the security of the Personal Data it processes seriously and follows the leading industry standards for data security. Further details can be provided upon request.
Data Subject Rights & Information Articles 13 & 14 of the GDPR set forth requirements related to Data Subjects’ Rights. Renaissance Learning is equipped to assist its customers with their obligations with these new Data Subject Rights. Please contact your Renaissance representative or our Data Protection Officer at privacy@renaissance.com
Data Protection Impact Assessments Where a particular type of processing is likely to result in a high risk to the rights and freedoms of natural persons, Controllers must carry out assessments of the impact of the envisaged processing operations on the protection of personal data prior to the processing of the Personal Data. Renaissance Learning will assist its customers — the Data Controllers — in the event they determine that a DPIA is required.
Data Protection Officer Where a Controller’s and Processor’s core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or the large-scale processing of special categories of data must appoint a Data Protection Officer. Renaissance Learning has appointed a Data Protection Officer, who can be reached at privacy@renaissance.com with any questions. Additional contact information can be provided upon request.
Controller-Processor Relationships Binding contracts that set forth the terms of process to be performed and provide Controllers the right to object to Sub-Processors engaged by the Processors are required between Controllers and Processors.
Data Breach Reporting The GDPR imposes new requirements related to breach notifications. The GDPR requires that, where feasible, the Controller shall notify the relevant Supervisory Authority within 72 hours after becoming aware of a breach involving Personal Data. If there is a likely high risk to the rights and freedoms of natural persons, the affected data subjects will be notified without undue delay. Renaissance Learning is ready for its obligations here as well, in the unlikely and unfortunate event it is necessary. We will also assist its customers in complying with their obligations related to data breach notification.

If you are an existing customer and have not received or are having trouble locating our email with the GDPR-ready contract addendum and would like one immediately, please download and sign the agreement at this link and email the signed document to privacy@renaissance.com.

Brexit Update (as of 11 March 2019)

Renaissance has been following closely the various potential outcomes of Brexit. While there will be little immediate change from a data-compliance perspective under situations where the UK leaves the EU in a negotiated fashion, if there is no deal, compliance mechanisms will vary depending on the situation. See the table below for more information:

Personal Data Origination Personal Data Recipient Country What this means under a “No Deal” Brexit
European Union United Kingdom (e.g., myON UK AWS server, customer support, sales, similar functions) Until the EU makes an adequacy decision with respect to the UK, transfers shall be made in accordance with GDPR Article 49(1)(c), Derogations for Specific Situations or, if requested by a school, under model clauses
European Union United States (e.g. Renaissance products; support functions for myON UK) No impact – EU-US Privacy Shield still applies to EU to US personal data transfers
United Kingdom European Union No impact on personal data transfers
United Kingdom United States EU-US Privacy Shield applies, with slight modifications (see https://www.privacyshield.gov?id=Privacy-Shield-and-the-UK-FAQs).