With just 1 month left until GDPR comes into effect, I thought I’d give you all a quick update on where we are on our journey to compliance.
I was at a conference recently which focussed on GDPR and data security. Exciting stuff! Here are two interesting quotes I wrote down:
“Compliance is a journey, not a destination”
“Compliance is not binary”
I like these quotes because they remind me that being compliant with GDPR is not something we tick some boxes on and then that’s it sorted. It’s a change in attitude and process. We’ll always be working on GDPR compliance.
Motional as Data Processor
We have two roles in terms of GDPR – we are a Data Processor for information about Participants, Snapshots, Results, Programs, and Reports. We don’t decide whether you collect or input information about your Participants; we just store it and do exactly what you ask us to do with it. You (or your Team Admin, or possibly your manager or Director) are the Data Controller. That comes with a lot of responsibility, and it’s likely that your wider Team (ie not just those with access to Motional) has a Data Protection Officer.
Article 5(2) requires that:
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
It is the Data Controller’s duty to ensure there is a legal ground for processing the data. I think schools have a very interesting situation here, as there are only certain reasons you can have for Processing data, and particularly “special category” data, and likewise for processing children’s data. So processing special category data about children is pretty much the most protected thing in GDPR. Quite rightly. If you’re using Motional in a school setting I think there are a couple of arguments here about which grounds you’d use (explicit consent is just one), but that’s a whole other blog post, so I’ll leave it here for now.
Back to our journey.
As Data Controllers you have to have a contract with any Processor you engage. We have an agreement drafted, and I’m building it into the website so you can fill in your team details and download a PDF contract signed by me. Where we use other companies to help us process that data (Sub-Processors), we become Data Controller in our relationship with them, and are still liable to you for their performance. Currently we are signing Processor agreements with these companies. There are only a couple of them, and they’ll be listed in our Processor Agreement with you. A few of you have asked for this Processor Agreement already (thank you – you’re ahead of the curve) and we’ll manually get these out to you so you’re not waiting for the website update).
Other Legal Docs
As I mentioned previously, you as Data Controllers have a lot of responsibilities. I’m going to make it as easy as possible for you to fulfil those. For example; by giving you a sample consent form (if that’s the legal basis for processing your data) to give to parents; by having built in tools to handle subject access requests, and other rights of the Data Subject (in your case the children whose data you’re entering into Motional) such as the right to be forgotten.
Motional as Data Controller
We are the Controller for data about our users – so as a member of Motional we hold your name, email address, workplace, and possibly job title and phone number. The basis for processing your data is mostly so we can fulfil our contract to provide you with services. Where we send you an email or message telling you about new features or training we’re offering, that probably falls under legitimate interests.
Any questions? Pink circle >>>