As the General Data Protection Regulation (GDPR) implementation date – 25 May 2018 –  looms large, we’re finding more and more schools are asking the ICO for advice on the subject. One area in particular is around the transfer and storage of data outside the EEA.

One of the requirements under the GDPR is that the transfer of data must only happen to countries with adequate data protection laws, of which the US is not one, and for those schools using US based cloud providers or suppliers this has been a concern.

Last year we saw the implementation of the EU-US Privacy Shield  – a framework aimed at allowing US companies to meet the requirements of the regulations.

More and more companies have now signed up to Privacy Shield, including Survey Monkey, Google and Microsoft. You can view the Privacy Shield certification for these companies in the links below.

Survey Monkey – https://contribute.surveymonkey.com/privacy

Google – https://www.google.de/intl/en/policies/privacy/frameworks/

Microsoft – https://privacy.microsoft.com/en-us/microsoft-eu-us-privacy-shield

With GDPR allowing for bigger financial penalties for businesses in breach of the new regulations – up to 4% of global turnover  – it’s essential that schools are fully aware of where their data is stored and how data breaches are reported.

However, despite Privacy Shield, our advice to schools is to ensure that they are fully confident that any third party suppliers holding data outside of the EEA are managing their data in accordance with GDPR.  One way of doing this is to ask the host to sign a ‘model contract clause’ Find out more from the ICO here .

And remember the US has very different privacy laws to the EU and any data that is sent to the US is freely available to the US Government.

At My School Portal, because a large focus of what we do is about aggregating school data, our aim is to integrate with systems that comply with data protection legislation and this does prevent us using some well-known applications from the US which are not able to offer a hosting facility in the EEA nor are able to satisfy individual schools that they are compliant. Over this past year we have successfully collaborated with a number of new systems’ providers to ensure that they meet all of our stringent criteria and protect the integrity of schools’ data.

If you’re interested in finding out more please drop us a line.