GDPR and Tutoring Companies
We encourage you to speak to a legal practitioner in your area to learn more about how the GDPR may affect your education business. The following article is intended as a resource only.
The General Data Protection Regulation (GDPR) legislation will affect companies in the European Union as well as online tutoring companies with customers in the European Union. The legislation is set to come into effect on May 25, 2018.
We have received a number of questions from our customers regarding Teachworks’ compliance and wanted to take this opportunity to let you know that we’ve reviewed the documentation and that Teachworks is already in compliance.
To make it easier for companies that use Teachworks to adhere to the GDPR guidelines in regards to the information they collect from their own customers and employees, we will be upgrading and adding some features in Teachworks (we’ll cover this in more detail in a future blog post).
What is the GDPR?
The GDPR is a privacy law that aims to regulate how organizations treat or use the personal data of European Union (EU) citizens. The legislation will affect businesses around the globe that collect, change, transmit, erase, or otherwise use or store the personal data of EU citizens.
Personal data refers to any data that can be used alone or in correlation with other data to identify a person.
Data Controller – the entity that determines the purposes, conditions and means of the processing of personal data
Data Processor – the entity that processes data on behalf of the Data Controller
Data Subject – a natural person whose personal data is processed by a controller or processor
Consent– freely given, specific, informed and explicit consent by statement or action signifying agreement to the processing of their personal data
Data Erasure – also known as the Right to be Forgotten, it entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data
Source: “A Glossary of Terms and Definitions as used in relation to the GDPR”, https://www.eugdpr.org/glossary-of-terms.html
Teachworks: Both Data Controller and Data Processor
Teachworks provides services to education companies who in turn provide services to their own customers. Because of this, we can be classified as a Data Controller as well as a Data Processor.
A Data Controller is an “entity that determines the purposes, conditions and means of the processing of personal data” [Source]. We provide B2B services to our customers (which are typically companies) and we collect information that could potentially identify a natural person. In this regard, we’re a Data Controller.
A Data Processor is an “entity that processes data on behalf of the Data Controller” [Source]. We provide companies that use Teachworks with business management software that allows them to collect data about their own customers. In this instance, companies that use Teachworks are Data Controllers and Teachworks is a Data Processor.
Teachworks as a Data Controller
Our customer list consists mainly of education companies and because of this, they are not really considered Data Subjects (“a natural person whose personal data is processed by a controller or processor” [Source]). However, some of the information we store could potentially be used to identify a natural person, which makes us a Data Controller.
We provide a free trial to companies and in order to sign up for the trial, and ultimately subscribe to our service, companies are required to consent to our Terms of Service. We use the data that’s entered upon registration to provide our customers with our services while strictly adhering to our terms of service and placing a very high importance on privacy.
We will share your data with our 3rd party Data Processors in line with our terms and conditions. This includes AWS, MailGun and Postmark. Some of our add-ons and integrations connect to other 3rd party Data Processors. If you require more information about this, please email our support team.
The GDPR documentation also stresses that Data Subjects have “The Right to be Forgotten” (in other words the right to request that their personal information is erased and not kept for future use). Teachworks makes it very easy for customers to terminate their accounts and remove their data from our servers – this can be done from within your Teachworks account or you can contact our support team for assistance.
Teachworks as a Data Processor and Your Role as a Data Controller
Teachworks provides services to education businesses that manage their own users and in this instance:
- Teachworks is the Data Processor
- The company managing a Teachworks account is the Data Controller, and
- The company’s customers and employees are Data Subjects
The areas that appear to be most relevant for compliance for education companies regarding the personal information of their customers and employees is related to Consent and Data Subject Rights. For example, you would need to receive consent from your customers regarding their personal information that you will be storing, and if a customer were to make a request to you about their Data Subject Rights, you would need to provide them with the requested information.
Our Custom Enrollment Forms Add-On currently includes a “Terms” field that allows you to get consent from customers and employees when they submit their details. We will be updating this to save each version of your terms so that there is a record of the specific terms that customer/employees agreed to when they signed up using the form.
The principle that personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes ultimately depends on how long you determine is necessary to keep the data, so there appears to be flexibility in how long you determine you need to keep your records.
Some of the records associated with your customers are likely legally required for longer than 2 years by your country’s tax authority as they are records of transactions and services provided, so there would be a legitimate reason to keep these longer. Records such as lessons, packages, charges, invoices, and payments are also necessary for your own accounting and business history records. Because these transaction records need to be associated with a particular customer record, to delete the customer profile would require you to also delete all of the associated records.
The personal information that may not be required would likely be specific fields on profiles. In which case, you can simply delete the information in those fields for each of your customers/employees. You can mass update profiles using our importing feature.
Other elements of the GDPR may also apply, so we would recommend researching which responsibilities you will have regarding your customers’ personal data. If you have any questions or concerns about the GDPR, please don’t hesitate to let us know so that we can provide you with more information and resources.