What is GDPR?

On May 25th 2018 the General Data Protection Regulation (GDPR) (EU) 2016/679 came into enforcement. The GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union and is intended unify the policies and strengthen the safety and security of all data held within an organisation. This legislation is considered the most significant data protection legislation of the last 20 years. There’s loads of information about the new legislation available online, with the Information Commissioner's Office (ICO) providing a good starting point.

Our compliance

Eedi is committed to helping teachers, students and parents work together to improve overall student performance. We have standardised policies and procedures to manage and protect the data that we process on behalf of our schools, putting data security and compliance at the core of our operations. Our systems and processes are fully GDPR compliant.

Data controllers and Data processors

Eedi collects basic contact details (e.g. name, email or phone number) from most users in order to facilitate normal use of the platform. Schools are the data controllers of staff and pupil data. The data controller is the person or organisation who determines what data is extracted, what purpose it is used for and who is allowed to process the data. GDPR increases the responsibility schools have to inform students and parents about how their data is being used and by whom. Eedi acts a data processor of staff and pupil data, wherein we are trusted by Schools with data, but we do not control it. Schools have ultimate control over their data and the consent to use it. Eedi will assume each school has received consent from appropriate parties before any data is shared with Eedi. In cases where students sign up directly, Eedi will ask for the e-mail address of the parent/guardian so we can seek verifiable parental/guardian consent to the collection and processing of personal data. Students do not have permission to use Eedi unless a parent/guardian first reads and agrees to the terms of use.

How does Eedi protect personal data and where is it processed?

Our platform and customer data are stored on secure and compliant cloud infrastructure. Our servers are hosted by Microsoft Azure in the EU to ensure customer data is retained within the European Economic Area (EEA), and sensitive data is encrypted within the database. We store business data within selected cloud platforms, including services like Google Drive, Intercom and Zoho CRM. We will only use platforms whose information security practices we approve. These are tools we use to operate our business, for purposes such as billing and invoice information, support cases, and marketing. For more information, please see our Terms and Conditions and Privacy Policy.

Who can access personal data?

Where it is necessary to access customer data, for example to investigate a support case, only approved Eedi support and technical staff can access it. If you wish to make a Subject Access Request and/or Right to be Forgotten request, or are looking for further information on GDPR compliance, please contact hello@eedi.co.uk