Groupcall has standardised policies to manage and protect the data that we process on behalf of our customers. We have significant experience in the education sector and in cloud computing, processing data for around 7.5 million students every day - our policies are driven by this experience, our ISO 27001 and ISO 9001 accreditations and our existing data protection compliance through our ICO registration.
As part of your preparation for GDPR we want to help you be fully aware of the steps Groupcall take to protect personal data throughout its lifecycle.
Groupcall categorises data in two sets and each is treated with the same high level of discipline:
Where customer data reaches our platforms, we store it exclusively on approved and compliant cloud infrastructure. We operate our products on Microsoft Azure Europe to ensure customer data is retained within the European Economic Area (EEA). The Microsoft Azure platform in Europe and the UK is rated “official” by the UK Government. We also use multiple protective layers within the Microsoft Azure platform to protect our services, including SQL and storage encryption, access rights management, service auditing, and firewalling. While Microsoft provides a secure platform through Azure, the security of our software is our own responsibility. Our product owners are all formally GDPR qualified and our design processes have security at their core. We routinely carry out vulnerability and penetration testing on our platforms and promptly address any issues identified.
We store business data within selected cloud platforms, including services like Salesforce. Our usage of these platforms is subject to our approval of their information security practices. We also work with and store selected business data at our premises in London and where appropriate we hold frequent disaster recovery backup copies of our business data with suitably secure cloud services within the EEA.
All transfers of customer data and business data use TLS 1.2 and/or AES encryption while being transferred. All of our computer devices are BitLocker encrypted to protect data in the event of theft.
Our retention policy permits a maximum of 12 months retention of customer data after a customer ceases services, unless we are instructed to securely dispose of it sooner. In the event of legal requirement or legal instruction we may retain it for longer. In practice we store most customer data for less than the maximum time, for example any customer data that becomes unrequired during service is typically retained for a maximum of six months before being disposed of, such as when a student leaves a school or a parental contact changes. Any customer data that is being held exclusively for the purposes of transfer to an approved third party, for example an Xporter partner, is disposed of within 30 days.
We retain our business data in compliance with the multiple legal requirements that apply to UK businesses and, where relevant, the non-UK markets we operate in.
Customer data is ultimately obtained from the Data Controller, typically a school. If there is an error in customer data then it is usually best to resolve it in the school system, e.g. the MIS, and then synchronise this data with us to propagate the correction to our services and any connected services. In any other case we provide means to correct data generated within our systems, although we cannot alter audit logs or historic data such as messages that have already been sent. Any errors in Business Data can be corrected by contacting firstname.lastname@example.org.
All Groupcall products include access controls to allow you to control what data is accessible to your own users. On occasions where it is necessary to access customer data on behalf of a school, for example to investigate a specific support case, only approved Groupcall support and technical staff can access it. Groupcall staff are vetted and are subject to contractual data access policies and confidentiality clauses. We carry out DBS checking where appropriate.
In order to carry out business activities authorised Groupcall staff can access business data subject to access controls.
Groupcall is externally audited every year for ISO 27001 and ISO 9001 accreditations. Our dedicated Data Protection Officer ensures our day-to-day compliance.
Where Subject Access Requests and/or Right to be Forgotten are applicable to Customer Data in a Groupcall Product we provide, or will provide, means for authorised customer users to carry out such activities directly. If you wish to make a Subject Access Request regarding Business Data held by Groupcall please contact email@example.com.
If you would like further information on GDPR compliance in Groupcall products then please contact your Groupcall account manager. If you’re interested in tools to manage your own organisation’s GDPR compliance, please download our GDPR e-book: https://www.groupcall.com/gdpr-ebook-for-schools