Last revised 17th May 2018

What is GDPR

The General Data Protection Regulation (GDPR), is a European privacy law approved by the European Commission in 2016 which will take effect from 25th May 2018.

The GDPR replaces EU Directive 95/46/EC which has been the basis of European data protection law since 1995. The GDPR aims to strengthen and modernise EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organisations may obtain, use, store, and remove personal data.

In-Tuition’s commitment to GDPR and Privacy

In-Tuition has always been committed to data privacy and the principles codified within the GDPR legislation. Ever since we built our first internet connected servers back in the 1990’s, we have held privacy and data security as a core design principle for all systems and services we offer. None the less, we have been hard at work making sure we are compliant by 25th May 2018. Here’s what we’ve done:

Data Processing Terms Variation

If you are a customer of ours, you will have received a Variation Letter which is our formal notification of the variation of our Agreement and sets out the new terms for how we will comply with our obligations under the GDPR. We’ve also uploaded a copy of this letter to our administrator portal in the legals section.

Awareness and Governance

Data security and privacy were already at the forefront of all of our staff’s minds. When we design any system or make changes, we also consider the matter as the utmost priority. To formalise this, we’ve appointed a Data Protection Officer and we’ve made data processing and compliance a standing item on our monthly management meeting agenda. We’ve created polices and procedures to ensure we continue to remain compliant as our products and services evolve, we add new features and contract with new suppliers or third party services. We have created a programme which means we will continue to invest in governance over the long term and not just to ensure we meet our obligations for May 25th, 2018.

Updated Privacy Policy

We’ve updated our privacy policy to reflect our obligations under the GDPR. The first stage was to conduct a thorough audit of our products, the software we use, third party web services, suppliers and our web properties to map out where we are storing or processing personal data. We have validated our legal basis for collecting  and processing personal data and made sure we are applying the appropriate safeguards and protections across our entire infrastructure and software ecosystem.

Product Specific Considerations

The primary services we provide are Zimbra Email and Collaboration, Email Security (hosted email virus and spam scanning) and WordPress hosting. We document the specific privacy and security particulars of each service on our Security and Infrastructure page.

Consent

We conducted an audit of all of the places where we collect personal information and reviewed the legal basis for doing so. We updated our sign-up form to comply with GDPR guidance and our privacy policy was updated with the latest information about cookies which are set by our web properties. We’ve also created a governance process to ensure we keep our privacy policy up to date any time we launch a new website or include a new third party library which might set a cookie.

Supplier Contracts

We conducted a deep review of each of our suppliers and third party services to understand, for each one: where they are hosting any data we share with them; how they are processing it; what legal entity is controlling the data; what terms and conditions are governing our relationship and such processing and whether those terms are acceptable to us; and whether they had completed their own GDPR compliance work in time for the deadline. We created a governance process to ensure we keep refreshing our due diligence on these matters. We’ve also created a checklist process for how we select suppliers going forward.

Individual Data Subject’s Rights – Data Access, Portability and Deletion

Your Customer account is managed online using our administrator portal. From this portal you can print, edit and delete your personal information. When you do this, we may also automatically update other systems (including third party systems when necessary) to keep everything in sync and to ensure that we can perform the necessary activities to fulfil our Agreement with you such as billing and payment collection. If you use the administrator portal to delete your account, the personal information held there will be deleted immediately from the primary database. We document this in more detail in our privacy policy. We’re developing internal policies and procedures to cover subject access requests and deletion of other personal data such as that which might have been collected by third parties as a result of visiting our website (e.g. by Google Analytics) or when you email us.

Risk Assessment – Data Protection Impact Assessments

As we’ve always considered security and privacy during every aspect of system design and implementation, formalising a process for risk assessment during system and product design and updates is straight forward for us. We have been working on creating formalised and documented Data Protection Impact Assessments to ensure we meet our GDPR obligations.

Breach Management

We’ve updated our incident response procedures to bring them into line with GDPR and ensure that we can communicate any issues directly and quickly.

Frequently Asked Questions

Where does In-Tuition host its services?

In order to provide its services, In-Tuition owns and manages it’s own switches, routers, servers and other computer equipment which it hosts in two highly secure UK data centres in Manchester and London (United Kingdom). In-Tuition also makes use of the public cloud for hosting an increasing number of its services. These public cloud providers are selected based on strict criteria for sovereignty, security and privacy controls. Currently, In-Tuition make use of Amazon Web Services (UK and Ireland) and Interoute (UK). No services are hosted outside of the EEA.

For any third party web services (other than In-Tuition’s core hosting facilities), In-Tuition’s policy is to prioritise suppliers who are able to provide their service or hosting from the UK or the EEA; if a suitable, local solution is not available, In-Tuition assesses carefully the controls and privacy policies of global providers before entering into a contract.

What security measures do you have in place to protect data?

Protecting our customers’ data is fundamental to everything we do. To better understand our security practices, you can refer to our Security and Infrastructure page:

https://www.in-tuition.net/about/security/

Do you have a GDPR compliant Data Processing Agreement/Addendum for us to sign?

We have issued a variation notice which varies our Agreement with Customers in line with GDPR requirements. This does not require your signature to take effect. A copy is available from the administration portal – terms section