Ensuring You Are GDPR Compliant

The GDPR applies to ‘personal data’ (any information relating to an identifiable person) and as a Campus user, under the legislation, you are considered a data controller. This is because you hold, and have access to two types of personal data (teacher data in the Education Data module, and your contacts' data in the CRM module) and you determine the purposes for which, and the manner in which, it is to be processed. E.g you decide to whom, and when, you send marketing etc. and so therefore assume your own responsibilities under the GDPR.

As a data processor it's very important that from 25th May you have a legal basis for processing all the personal data you hold in your Campus account. The GDPR gives you six legal grounds you may rely on. The two most common, and appropriate to you, are 'consent' (explicit or soft*), and 'legitimate interest'.

*as long as certain conditions are met.

Let's look in a little more detail about these two types of data subject and which of the legal grounds you can use to process their data.

---------------------------------------------------------------------------------------------------------------------------------------

1. Your Contacts’ Data (in the Contacts module)

You'll probably hold two 'types' of contacts:

A) 'End user's at 'corporate subscribers' (employees at limited companies, government bodies and organisations e.g. educational establishments).
Under some complimentary legislation to the GDPR (PECR), organisations may send marketing to 'end users' at 'corporate subscribers' without consent as long as other conditions are met, not least that a legal basis for processing under the GDPR is held (e.g. legitimate interest). There's a good article by the ICO that defines corporate subscribers here:
https://ico.org.uk/media/1555/direct-marketing-guidance.pdf (point 142 on page 44).

You may use legitimate interest or consent (as long as their conditions are met) as your legal basis for processing the personal data of the end users at corporate subscribers.

B) Everyone else (consumers/sole traders and their employees/partnerships and their employees).
These contacts must have provided you with consent to send them email marketing. This is the case pre and post GDPR - essentially it was the law before the GDPR and remains the case now.

You must use consent (you may not rely on legitimate interest) as your legal basis for processing your consumers/sole traders and their employees/partnerships and their employees contacts. If they have not provided you with consent you will either need to gain their consent prior to May 25th or no longer process their data.

---------------------------------------------------------------------------------------------------------------------------------------

2. Teacher Data (in the Education Data module)

This is Sprint's data that we manage and make available to you - it falls under the 'end users' at 'corporate subscribers' category. 

You are still considered a data controller of this data despite the fact that you are essentially 'leasing' this data from us because once you gain access to the data you determine the purposes for which, and the manner in which, it is to be processed (subject to your lease terms). E.g you decide to whom, and when, you send marketing etc. and so again assume your own responsibilities under the GDPR.

You may use legitimate interest (as long as its conditions are met) as your legal basis for processing the personal data of teachers in the Education Data module.

---------------------------------------------------------------------------------------------------------------------------------------

Legal Basis for Processing

It's worth running through what consent and legitimate interest are and what you need to do be able to rely on either of them for your legal basis for processing.

Consent

In order to process personal data under this legal basis you must ensure that each data subject has provided you with explicit consent to process their data and send them marketing. 

It's defined as: "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

There's some really useful information from the ICO about consent which you can read here:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/

You may rely on 'soft consent' if you hold the personal details of a contact who has bought from you in the past or with whom you've had correspondence regarding the negotiation of a sale.

Legitimate interest

In order to process personal data under this legal basis you must ensure that you have a legitimate interest to do so and satisfy yourself (and any regulator that may ask) that your legitimate interests do not outweigh the rights, freedoms, and interests of the data subject.

It's defined as : “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
N.B. Recital; 47 of the GDPR states that processing for direct marketing purposes may be considered a legitimate interest.

You'll need to rely on legitimate interest as your legal basis for at least some of your processing (certainly for your processing of the data in the Education Data module) and will need to ensure that you have the following in place:

  1. You've completed a legitimate interest assessment and balancing test to satisfy that your legitimate interests don't override the freedoms, rights and interests of the teachers. 
  2. Provide relevant information in your Privacy Policy about the data you hold and how you process it. You'll need to link to your privacy policy in every email you send your leads.
  3. Ensure that your unsubscribe process if absolutely robust - you must absolutely honour a data subject's request to be removed.

--------------------------------------------------------------------------------------------------------------------------------------------

And finally...

It's your responsibility to ensure your contacts' data it is processed in line with the GDPR. Campus provides you with tools to help you do this e.g. the unsubscribe feature that you have to embed in every marketing email you send from Campus, and an easy way to delete contacts who don’t wish you to process their data. We'll be releasing more features around the end of May to further help you with compliance so keep your eyes peeled.

If you have any questions just get in touch!