Welcome to the Renaissance Learning
GDPR Compliance Overview

Updated 3 May 2018

 

Introduction

The overview that follows provides what we at Renaissance Learning hope are helpful insights and information about our General Data Protection Regulation (“GDPR”) compliance efforts and, when relevant, how we can help you be ready for your GDPR-compliance obligations.

The GDPR goes into effect on 25 May 2018. The GDPR is the European Union's (“EU”) new data-protection framework. The GDPR builds on the EU’s data protection framework in place since 1995. Renaissance Learning welcomes the GDPR as embodying many of the data-protection philosophies it holds as an organization. The GDPR provides for stricter limits on processing of personal data, significantly expands the rights of EU residents over their data, and provides for increased transparency regarding the use of EU residents’ data. All of this adds up to greater privacy rights for individuals in the EU.

If after reading this and Renaissance Learning’s privacy policy you still have questions, please contact our Data Protection Officer at privacy@renaissance.com.

Renaissance Learning is committed to GDPR compliance

Beyond Renaissance Learning’s commitment to be ready for GDPR by 25 May 2018, navigating GDPR will require cooperation and communication between data controllers, processors, and data subjects. We have carefully examined the provisions of the GDPR applicable to Renaissance Learning and our applications, and we are closely tracking applicable GDPR guidance issued by regulatory authorities. This will allow us to have the tools that will allow school administrators, students, and their parents to be able to enjoy a GDPR-compliant use of Renaissance Learning's applications.

GDPR overview

As a regulation instead of a directive, the GDPR becomes enforceable as law in all EU member states and aims to harmonize the separate member state implementations of data protection laws, streamlining compliance by providing a single set of principles to follow. While there are a great number of resources available regarding GDPR, we recommend governmental resources. To that end and for a more detailed overview, please see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.

Renaissance Learning’s GDPR compliance journey

Renaissance Learning understands that handling your data requires trust, and we have long been committed to maintaining that trust. We, like many of our customers, have been actively preparing for the GDPR for quite some time and started from a strong position on data security and data processing. What follows is an overview of the steps we have taken to be ready for the GDPR.

Our GDPR compliance journey started by gathering a team of experts within the company from legal, information security, product engineering, marketing, and sales—both in the EU and the United States—to specifically address the GDPR’s new requirements. We then appointed a Data Protection Officer to oversee Renaissance Learning’s GDPR compliance programme.

Then, over the next several months, Renaissance Learning underwent a comprehensive, detailed analysis of our data handling and security practices. We then took our findings and laid them against the GDPR’s requirements and current guidance from the relevant regulators to assess whether they met the requirements or whether further attention may be required.

Since completing that analysis, we have updated internal procedures and revised our customer-facing policies and notices. Here is our revised privacy policies document, for both the website and our applications. Additionally, current customers will be receiving a data processing addendum that formalizes our commitment, as your data processor, to comply with the GDPR’s requirements. Those addendums will be emailed to our customers in batches starting on 8 May and continuing through the 18th of May. If you have not received that addendum by 22nd May, please email our Data Protection Officer at privacy@renaissance.com.

At the end of this journey will be Renaissance Learning’s commitment to be ready for GDPR’s requirements and to continue to work with our customers to ensure they have the information they need to be ready as well.

Frequently asked questions about personal data

What is personal data?

The GDPR defines Personal Data broadly to include any of the following information relating to an identified or identifiable person.

Identity

  • Name
  • Home address
  • Work address
  • Telephone number
  • Mobile number
  • Email address
  • Passport number
  • National ID card
  • National Insurance Number (or equivalent)
  • Driver's license
  • Physical, physiological, or genetic information
  • Medical information
  • Cultural identity

Artefacts

  • Social media posts
  • IP address (EU region)
  • Location / GPS data
  • Cookies

It is important to note that Renaissance Learning does not process all of these types of personal data in the context of our applications, and the list of processed Personal Data may vary slightly from school to school. Please refer to your parameters set at implementation for the definitive list. Our website privacy policy discloses the type of online artefacts that we may collect and the conditions surrounding that collection. However, Renaissance Learning’s policy is only to collect data strictly necessary for our products to work, or that our customers request we process.

How long does Renaissance Learning maintain our personal data?

Our GDPR-ready data retention policies are set forth in the respective privacy policies.

Where is personal data stored?

Personal data collected in the context of our applications is stored on our secure servers in the United States. It is important to remember that the GDPR does not contain any obligation to store information only in Europe. However, transfers of European personal data outside the European Economic Area (“EEA”) generally require that a valid transfer mechanism be in place to protect the data once it leaves the EEA (See Chapter V, Articles 44-50). On this issue, Renaissance Learning is GDPR ready by adhering to the EU-US Privacy Shield Framework and other mechanisms.

EU–U.S. Privacy Shield

Renaissance Learning participates in and is certified under the EU-U.S. Privacy Shield Framework (the “Framework”). That means, that in addition to the GDPR strictures, Renaissance has certified that it adheres to the Privacy Shield Principles of Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement and Liability. To learn more about the Privacy Shield Framework, visit https://www.privacyshield.gov/. To view our certification, visit the U.S. Department of Commerce’s Privacy Shield List.  If you have questions about our participation in the Privacy Shield program or have a complaint, please send an email to privacy@renaissance.com.

Other GDPR FAQs

For some companies, the GDPR will change the way data is collected, as well as how those companies obtain, document, and manage the legal basis for processing. Below is an overview of some of the key GDPR requirements and how Renaissance Learning addresses them, where applicable. Please note that other questions, such as school control of data, what information Renaissance collects, how that data is used, and how in limited circumstances Renaissance may share that information are addressed in our application privacy policy, found in the Application Privacy Policies box on this page. As always, if you have any questions, please do not hesitate to contact our Data Protection Officer at privacy@renaissance.com.

Application Privacy Policies

For information on Renaissance Learning practices with respect to our software applications and the privacy of all student data, refer to the documents below:  

Key requirements

Brief description and Renaissance Learning's position

Data protection by design and default

Controllers (schools) and Processors (Renaissance Learning) must incorporate data protection into new products and services that involve processing of personal data and consider data protection issues in all business decisions. Renaissance Learning is ready to adhere to this principle.

Lawfulness of processing

Processing must be based on one of a number of different lawful bases, such as consent, performance of a contract, legal obligation, protection of vital interests, tasks carried out in the public interest, or legitimate interest balanced against the fundamental rights of data subjects. Where Renaissance Learning is the Processor, it defers to its customers to provide the lawful basis for collection and processing as the data Controllers under the GDPR.

Conditions for consent

In those situations where consent is required, consent must be freely given, informed and unambiguous. Where Renaissance Learning is the Processor, it defers to its customers as the Data Controllers under the GDPR for securing any required consents. Further details regarding consent may be found in the agreements between you and Renaissance Learning.

Security of processing

Keeping personal data secure is important, and the GDPR requires that Controllers and Processors implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Renaissance Learning takes the security of the personal data it processes seriously and follows the leading industry standards for data security. Further details can be provided upon request.

Data Subject Rights & information

Articles 13 and 14 of the GDPR set forth requirements related to Data Subjects’ Rights. Renaissance Learning is equipped to assist its customers with their obligations with these new Data Subject Rights.

Data protection impact assessments

Controllers and Processors must create centralized repositories containing records of processing activities carried out on personal data.

Data Protection Officer

Where a Controller’s or Processor’s core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or the large-scale processing of special categories of data, they must appoint a Data Protection Officer. Renaissance Learning has appointed a Data Protection Officer, who can be reached at privacy@renaissance.com with any questions. Additional contact information can be provided upon request.

Controller-Processor relationships

Binding contracts that set forth the terms of process to be performed and provide Controllers the right to object to Sub-Processors engaged by the Processors are required between Controllers and Processors. If you are an existing customer, by 22nd May 2018, you or someone in your organization should have received a data processing addendum to execute, but if not, please contact privacy@renaissance.com. New customers will have the processing-related contract requirements embedded in their terms of service.

Data breach reporting

The GDPR imposes new requirements related to breach notifications. The GDPR requires that, where feasible, the Controller shall notify the relevant Supervisory Authority within 72 hours after becoming aware of a breach involving Personal Data. If there is a likely high risk to the rights and freedoms of natural persons, the affected data subjects will be notified without undue delay. Renaissance Learning is ready for its obligations here as well, in the unlikely and unfortunate event it is necessary. We will also assist our customers in complying with their obligations related to data breach notifications.