GDPR in Schools Limited

GDPRiS Pro Data Protection Support Service

A cost-effective service, driven by our GPDRiS software, specifically designed to support DPOs and DP Leads with the monitoring management of data protection within schools ensuring on-going compliance with the GDPR and DPA2018.

Features

• Includes all features of the GDPRiS cloud application and service
• Over 4,500 pre-populated supplier data maps and supporting compliance information
• Fast, efficient reporting and management of Data Breaches, SARs, FOIs
• Pre-filled Data Protection Impact Assessment (DPIA) templates and guidance
• Comprehensive auditing tools
• Extensive template procedures and policies, risk register, privacy policy
• Role-based staff training and awareness resources
• Powerful real-time reporting

Benefits

• Peace of mind, with a clear pathway to compliance
• Clarity and guidance on what the law requires
• Unlimited advice and support via email and phone
• Practical tools and templates
• Helps schools achieve the key requirements mandated for compliance
• Drives a whole-school approach to data protection
• Embeds Data protection by design and by default into schools
• Easily collaborate with stakeholder to achieve compliance
• Help with data subject requests
• Help with breach response

£785.00 to £1,495.00 a unit a year

• Education pricing available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at contactus@gdpr.school. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

326061860612641

Contact

Sales
020 3961 0110
contactus@gdpr.school

Service scope

• Software add-on or extension: Yes
• What software services is the service an extension to: The DPO Service requires that customers use our GDPRiS application and service.
• Cloud deployment model: Private cloud
• Service constraints: No specific constraints at this time.
• System requirements: Recent web browser (JavaScript enabled)

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: All emails or online tickets get an automated response with additional guidance for self-service of support. Staffed support is 9 am-5 pm Mon to Fri, exclusive of Bank Holidays.; Response time is based on the severity and during working hours:; Urgent/Critical - 4hr; High - 8hr; Normal - 16hr; Low - 24hr
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: We operate a single level customer service contract to all clients as part of the cost of the platform.; This includes a team of Customer Service agents to support pre-sales technical advice, onboarding, online training, service and support issues, and account management.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Welcome email sent out upon signing up.; Welcome email gives instructions to support initial logging in to access the portal. It also provides links to guidance and resources to help customers get started. ; Customers will receive a call from the Customer Success Team to arrange a session for online product training and to establish the scope to proceed.; After the training, they will receive a post-training email with further guidance and how to access more resources and support.; Depending on the outcome of the initial onboarding call, we will guide you through populating the platform.; Within the portal, we provide access to a wide range of resources on best practice and general information on GDPR. These are designed to help guide the customer through the compliance journey.; Our Customer Support Team will help you every step of the way.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: The standard user interface allows data to be extracted via reporting engine.
• End-of-contract process: All end-of contract activities are included within the price. All data is removed from the platform after 30 days post contract expiry, except where data needs to be retained to allow GDPR in Schools to complete any legal requirements.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The same functionality is rendered onto a smaller screen. Some functionally (large tables) becomes hard to use on really small screens
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: GDPRiS presents a web user interface which allows users to manage their GDPR compliance, e.g. creating and maintaining their data ecosystem (data maps), performing DPIAs, managing breaches and subject requests, running user training, questionnaires and audits, comprehensive resource bank of templates, extensive knowledge base and training resources to cover all aspects of school life.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Our development aims at AA level compliance with WCAG 2.1.; There are currently known gaps.; Testing takes place with tooling (Axe Tools)
• API: No
• Customisation available: Yes
• Description of customisation: Customers upload their logo.; By mapping their data ecosystem within GDPRiS, customers tune their experience for DPIAs and for data protection audits.; Users customise which notifications they wish to receive from the system. (e.g. breaches, incidents, subject requests)

Scaling

• Independence of resources: The service is hosted on an auto-scaling platform with generous headroom. Resource pressures on the service are being monitored and addressed by the technical team.

Analytics

• Service usage metrics: Yes
• Metrics types: GDPRiS has built-in reporting features to allow schools to monitor their own use of the tool and measure progress on their data protection journey.
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: In-house
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: There exist various tabular data reports in the standard web user interface. These can saved into spreadsheet formats.; ; Additionally GDPRiS support can set up scheduled - and user defined - reports for customers that get delivered, e.g. to users' mailboxes.
• Data export formats:
  • CSV
  • Other
• Other data export formats: Office Open XML
• Data import formats:
  • CSV
  • Other
• Other data import formats: Office Open XML

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: The service is available 24x7. We take out-of-hours maintenance outages from time to time, and these are usually announced to the customers beforehand. While we make no guarantees about our up-time, our record since July 2019 shows no unplanned outages of the core application
• Approach to resilience: The service is hosted on Microsoft Azure on an autoscaling, and self-maintaining compute platform. In that way, the platform both scales out to meet spikes in demand, but also experiences no outages or service degradation during - routine - maintenance tasks.
• Outage reporting: The service is externally monitored - in-app notification to admins and email. The hosting platform itself sends notification emails on severe events. Depending on our assessment, we can choose to inform users of an outage (e.g. via email)

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Access restrictions can be set by the customer (access revocation)
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: The security and information governance approach is informed by ISO27001. An ISMS has been developed and is in use.
• Information security policies and processes: Information Security Policy, Data Protection Policy, Information Security Management System (ISMS) manual, Information Classification and Handling, Bring Your Own Device Policy, Access Control and Joiner/Leaver/Mover policy, Acceptable Use Policy, Password Policy, Remote Working Policy, Incident Response Procedures, Third Party Management Policy, Secure Software Development.; One of GDPRiS' directors is responsible for compliance and maintains evidence of policies and procedures being followed.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Changes are tracked for * application and hosting environment * important business support functions, such as DNS settings, Microsoft 365, provisioning/decommissioning of services and more Depending on assessed potential impact of an intended change, it is announced to stakeholders beforehand; Feedback and where that applies their agreement are required. All impacting changes are logged in a Ticketing system.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: 1. Policies define requirements for vulnerability assessments and response to findings 2. Using only managed services for core application (patching by service provider) 3. Using Azure's native vulnerability detection system 4. Using O365/Intune for vulnerability and patch level detection on endpoints.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Extensive logs are produced by the hosting environment, and suitable alerts are being emitted. The custom code's log data is being imported into a log aggregation platform and evaluated there.
• Incident management type: Supplier-defined controls
• Incident management approach: GDPRiS have developed a comprehensive incident response plan, informed by leaders in the industry. All staff are encouraged and trained to report any anomalies whether or not they were caused by them. Incident data collection forms for data breaches and for cyber security incidents exist. An incident register exists. A guide for a full incident report is part of the response plan.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  * Hosting in cloud environment (shared compute resources) saves energy as opposed to self-hosting * We operate from home-offices, meaning there is little routine car travel for our workforce, significantly reducing the carbon footprint.
• Covid-19 recovery:

  Covid-19 recovery

  Being a home-based business, Covid has not had a very disruptive effect on our operation, other than the occasional - temporary - reduction in workforce.
• Tackling economic inequality:

  Tackling economic inequality

  We pride ourselves in disseminating our experience and knowledge of data protection to our customers. Our work advances the skill and know-how of employees of our customers.
• Equal opportunity:

  Equal opportunity

  Our online service specifically addresses the needs of users with disabilities.
• Wellbeing:

  Wellbeing

  GDPRiS prides itself in being a family-oriented business, granting out staff time off work for personal matters freely.; The consumption relieves our customers and their staff from the anxiety of that surrounds data protection.

Pricing

• Price: £785.00 to £1,495.00 a unit a year
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at contactus@gdpr.school. Tell them what format you need. It will help if you say what assistive technology you use.