EVOLVE GDPR Compliance Statement – February 2018

We take your privacy very seriously and work to the highest standards to keep your data safe. We welcome the introduction of The General Data Protection Regulation (GDPR), which comes into force on the 25th May 2018, as it provides everyone with an opportunity to reflect upon the measures in place to protect data.

eduFOCUS Limited, the providers of the EVOLVE system, is committed to compliance with all relevant EU and Member State laws in respect of personal data, and the protection of the rights and freedoms of individuals whose information we collect and process in accordance with the General Data Protection Regulation (GDPR). Ongoing compliance is embedded in all processes and policies throughout our organisation.

eduFOCUS Limited is already registered with the Information Commissioners Office (ICO) both as a Data Processor for our customers’ data (the EVOLVE system) and as a Data Controller for our own company’s data. To ensure GDPR compliance we are undertaking a comprehensive review of our systems including:

  • Conducting a GDPR gap analysis of our procedures, policies and records
  • Reviewing how GDPR impacts on EVOLVE.
  • Implementing a GDPR Compliance Framework
  • Assessing the potential impact of GDPR on our customers
  • Obtaining confirmation from our suppliers regarding their commitment to GDPR
  • Reviewing customer contracts
  • Implementing enhanced data protection security measures on our network infrastructure
  • Training our team members in GDPR considerations

eduFOCUS has always taken the security of data very seriously and our UK-based data centre holds a range of accreditations including, the latest ISO27001:2013, ISO 27018:2014, G-Cloud 9, and the UK Government’s ‘Cyber Essentials’ Accreditation. Additionally, eduFOCUS’ network infrastructure benefits from dedicated firewalls and we are already implementing a range of additional security measures including:

  • Inclusion in the DDoSX programme to provide advanced protection against DDoS attacks
  • Installation of advanced Web Application Firewalls to automatically inspect every web request for cross-site scripting, SQL injection, path traversal and hundreds of other types of attacks
  • Proactive threat monitoring on each server to detect host-based intrusion attempts, provide file integrity monitoring and vulnerability scans
  • Dedicated team of security specialists to respond and mitigate threats

EVOLVE Top Tips for ensuring GDPR compliance

  • Change your password regularly and keep this safe
  • Never reveal or share your password with anyone. We will never ask you for your password when supporting you.
  • Do not share user accounts with colleagues. Request a unique login from your EVC when planning your trips.
  • Ensure staff accounts are made inactive as soon as they finish employment. If you use EVOLVE via a trust or Local Authority then you could consider upgrading to EVOLVE+ which automates this process and ensures all staff accounts are created and disabled automatically – one less thing to worry about!
  • Always keep your email address up to date in your profile for notifications. If you use EVOLVE via a trust or Local Authority then you could consider upgrading to EVOLVE+ to ensure this is automatically checked daily and kept up to date
  • Make use of EVOLVE’s Access Controls to ensure all users have appropriate levels of access for Payments, Bookings, Communications, Consent purposes.
  • Avoid inclusion of sensitive data in file attachments e.g. registers. If you use EVOLVE via a trust or Local Authority then you could consider upgrading to EVOLVE+ to automatically synchronise up to date student data to create your registers; it would be easier to search should you ever need to carry out a Subject Access Request.