The following explains the role of Newenglish Studio as a service provider in relation to the GDPR regulations, which come into force on 25th May 2018. If you wish to review our personal data policy for Newenglish Studio in regards to you as a client, please review our privacy policy.
Terminology and roles
GDPR defines a number of roles which determine responsibility and the guidelines for handling of personal data:
Data controller – This refers to a Newenglish Studio client who are the operators/owners of any website or application that Newenglish Studio have developed, host and/or support
Data processor (or data sub-processor) – This refers to Newenglish Studio as we are party to personal data through providing our services
Responsibility and obligations
All Newenglish Studio clients are responsible for their own adherence to GDPR. It is not the responsibility of Newenglish Studio to enforce or implement any rules or changes for data controllers (i.e. our clients). Newenglish Studio, as data processors, shall provide sufficient technical and organisational practices that meet the GDPR guidelines for data processors. This is to ensure any handling of any data on our client’s behalf is confidential, secure and responsible. We may disclose data to service providers who render services to us or our clients, all of which are contractually obliged to act only on our instructions and in accordance with applicable laws including GDPR.
Website & application changes to become GDPR-compliant
The GDPR laws which have come into affect are globally impactful, being law in the UK and EU countries. Furthermore, other countries which serve UK and EU citizens are also required to adhere to the same guidelines. As such, any website, application or software developed prior to GDPR coming into affect on 25th May 2018 may require further changes to ensure compliance with the guidelines, and how they specifically apply to each client These changes may be subject to additional investigation & development charges as advised by Newenglish Studio on a case-by-case basis due to the diverse rules and nature of the website/application/software.
Review and change process
The extent of changes required will depend on several factors:
The type of data captured and stored by your website/application/software (i.e. is is personally identifiable, is it sensitive)
The intended usage for that data (i.e. for order processing, marketing, promotions etc)
How the data is captured (by online enquiry form, by user registration etc)
The length of time and legal basis for storing this data (i.e. stored for 6 years due to HMRC invoice and tax purposes)
We advise the following:
Client should initially involve their Data Protection Officer (if appointed/applicable)
Client should review and formalise their own GDPR policy wording and make key decisions on the above factors such as data capture methods, intended usage, retention period, security. Existing processes may need to be reviewed and revised inline with GDPR
Client to make their policy available via their website, email signature and other communication forms
Newenglish Studio to review the website/application/software to determine what areas contravene the agreed GDPR policy
Newenglish Studio to recommend technically feasible solutions to ensure GDPR-compliance
Newenglish Studio to estimate costs for implementation where applicable
Client to instruct Newenglish Studio to proceed
Data Subject Rights
GDPR includes several data subject rights which data controllers are obligated to respect In the first instance, it is the responsibility of the data controller to respond to all requests and fulfil where possible – via any content management system (CMS) or administration area. As a service provider (data processor), Newenglish Studio may be required to manually intervene to technically carry out certain tasks not available through the existing CMS/Administration. All manual requests will be carried out for free for clients who are covered by a support & maintenance agreement. Otherwise, requests will be chargeable at our standard agreed hourly rate. The data subject rights that Silver Innovation can manually assist with are as follows:
The right to ask for a copy of data – typically a comma separated file (CSV)
The right to ask to correct any data – such as errors, mistakes or inaccuracies
The right to ask for data to be removed – includes audit records
Data handling
Retention & backups
Newenglish Studio, as a data processer, retain backups for 3 months for the purpose of providing restoration of data in the event of a disaster recovery scenario. These backups are stored securely and accessible only via an encrypted platform.
Data breaches
Newenglish Studio, as a data processor, will comply with the GDPR guidelines surrounding data breaches, such as notification of clients within 72 hours of a breach being detected etc. Further details can be found here.
Data security
Newenglish Studio recommend all websites/applications are operated under a secure https:// connection to ensure encryption is in place to secure data in transit Specific data encryption is implemented on a case-by-case basis based on the level of sensitivity of the data and any specific requirements or instructions from clients (data controller).