Last revised 17th May 2018
What is GDPR
The General Data Protection Regulation (GDPR), is a European privacy law approved by the European Commission in 2016 which will take effect from 25th May 2018.
The GDPR replaces EU Directive 95/46/EC which has been the basis of European data protection law since 1995. The GDPR aims to strengthen and modernise EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organisations may obtain, use, store, and remove personal data.
In-Tuition’s commitment to GDPR and Privacy
In-Tuition has always been committed to data privacy and the principles codified within the GDPR legislation. Ever since we built our first internet connected servers back in the 1990’s, we have held privacy and data security as a core design principle for all systems and services we offer. None the less, we have been hard at work making sure we are compliant by 25th May 2018. Here’s what we’ve done:
Data Processing Terms Variation
If you are a customer of ours, you will have received a Variation Letter which is our formal notification of the variation of our Agreement and sets out the new terms for how we will comply with our obligations under the GDPR. We’ve also uploaded a copy of this letter to our administrator portal in the legals section.
Awareness and Governance
Data security and privacy were already at the forefront of all of our staff’s minds. When we design any system or make changes, we also consider the matter as the utmost priority. To formalise this, we’ve appointed a Data Protection Officer and we’ve made data processing and compliance a standing item on our monthly management meeting agenda. We’ve created polices and procedures to ensure we continue to remain compliant as our products and services evolve, we add new features and contract with new suppliers or third party services. We have created a programme which means we will continue to invest in governance over the long term and not just to ensure we meet our obligations for May 25th, 2018.
Product Specific Considerations
The primary services we provide are Zimbra Email and Collaboration, Email Security (hosted email virus and spam scanning) and WordPress hosting. We document the specific privacy and security particulars of each service on our Security and Infrastructure page.
We conducted a deep review of each of our suppliers and third party services to understand, for each one: where they are hosting any data we share with them; how they are processing it; what legal entity is controlling the data; what terms and conditions are governing our relationship and such processing and whether those terms are acceptable to us; and whether they had completed their own GDPR compliance work in time for the deadline. We created a governance process to ensure we keep refreshing our due diligence on these matters. We’ve also created a checklist process for how we select suppliers going forward.
Individual Data Subject’s Rights – Data Access, Portability and Deletion
Risk Assessment – Data Protection Impact Assessments
As we’ve always considered security and privacy during every aspect of system design and implementation, formalising a process for risk assessment during system and product design and updates is straight forward for us. We have been working on creating formalised and documented Data Protection Impact Assessments to ensure we meet our GDPR obligations.
Frequently Asked Questions
Where does In-Tuition host its services?
In order to provide its services, In-Tuition owns and manages it’s own switches, routers, servers and other computer equipment which it hosts in two highly secure UK data centres in Manchester and London (United Kingdom). In-Tuition also makes use of the public cloud for hosting an increasing number of its services. These public cloud providers are selected based on strict criteria for sovereignty, security and privacy controls. Currently, In-Tuition make use of Amazon Web Services (UK and Ireland) and Interoute (UK). No services are hosted outside of the EEA.
For any third party web services (other than In-Tuition’s core hosting facilities), In-Tuition’s policy is to prioritise suppliers who are able to provide their service or hosting from the UK or the EEA; if a suitable, local solution is not available, In-Tuition assesses carefully the controls and privacy policies of global providers before entering into a contract.
What security measures do you have in place to protect data?
Protecting our customers’ data is fundamental to everything we do. To better understand our security practices, you can refer to our Security and Infrastructure page:
Do you have a GDPR compliant Data Processing Agreement/Addendum for us to sign?
We have issued a variation notice which varies our Agreement with Customers in line with GDPR requirements. This does not require your signature to take effect. A copy is available from the administration portal – terms section