Welcome to the Renaissance Learning
GDPR Compliance Overview

Updated 3 May 2018

 

Introduction

The overview that follows provides what we at Renaissance Learning and myON by Renaissance (collectively, “Renaissance”) hope are helpful insights and information about our General Data Protection Regulation (“GDPR”) compliance efforts and, when relevant, how we can help you be ready for your GDPR-compliance obligations. We also address the address the potential implications of the United Kingdom’s (“UK”) decision to leave the European Union on or after 29 March 2019 (“Brexit”).

Brexit will have some impact on all companies operating in or from the UK. Renaissance has been following Brexit closely and the implications for our business and for our customers. Renaissance has been working hard to ensure we will be able to continue the smooth flow of personal data between and among, where relevant, the EU, UK, and United States. Renaissance has contingencies in place for each potential outcome: a “no deal” Brexit or a “deal” Brexit. Finally, Renaissance is committed to complying with whatever data protection law the U.K. enacts to mirror the protections of the GDPR post Brexit.

If after reading this and Renaissance Learning’s privacy policy you still have questions, please contact our Data Protection Officer at [email protected].

Renaissance Learning is committed to GDPR compliance

Beyond Renaissance Learning’s commitment toward complying with the GDPR , navigating the GDPR requires cooperation and communication between data controllers, processors, and data subjects. We have carefully examined the provisions of the GDPR applicable to Renaissance Learning and our applications, and we are closely tracking applicable GDPR guidance issued by regulatory authorities. This allows us to give school administrators, students, and their parents the tools necessary to be able to enjoy a GDPR-compliant use of Renaissance Learning's applications.

GDPR overview

As a regulation instead of a directive, the GDPR is enforceable as law in all EU member states and aims to harmonize the separate member state implementations of data protection laws, streamlining compliance by providing a single set of principles to follow. While there are a great number of resources available regarding GDPR, we recommend governmental resources. To that end and for a more detailed overview, please see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ or https://www.dataprotection.ie/en/dpc-guidance.

Renaissance Learning’s GDPR compliance journey

Renaissance Learning understands that handling your data requires trust, and we have long been committed to maintaining that trust. We, like many of our customers, started from a strong position on data security and data processing and adjusted to the GDPR. What follows is an overview of just some of the steps we took to be ready for the GDPR.

Our GDPR compliance journey started by gathering a team of experts within the company from legal, information security, product engineering, marketing, and sales—both in the United Kingdom and the United States—to specifically address the GDPR’s new requirements. We then appointed a Data Protection Officer to oversee Renaissance Learning’s GDPR compliance programme.

Then, over the next several months, Renaissance Learning underwent a comprehensive, detailed analysis of our data handling and security practices. We then took our findings and laid them against the GDPR’s requirements and current guidance from the relevant regulators to assess whether they met the requirements or whether further attention may be required.

Since completing that analysis, we have updated internal procedures and revised our customer-facing policies and notices. Here is our revised privacy policies document, for both the website and our applications.

You have Renaissance Learning’s commitment to operate within the GDPR’s requirements and to continue to work with our customers to ensure they have the information they need to be ready as well.

Frequently asked questions about personal data

What is personal data?

The GDPR defines Personal Data broadly to include any of the following information relating to an identified or identifiable person.

Identity

  • Name
  • Home address
  • Work address
  • Telephone number
  • Mobile number
  • Email address
  • Passport number
  • National ID card
  • National Insurance Number (or equivalent)
  • Driver's license
  • Physical, physiological, or genetic information
  • Medical information
  • Cultural identity

Artefacts

  • Social media posts
  • IP address (EU region)
  • Location / GPS data
  • Cookies

It is important to note that Renaissance does not process all of these types of personal data in the context of our applications, and the list of processed Personal Data may vary slightly from school to school. Please refer to your parameters set at implementation for the definitive list. Our website privacy policy discloses the type of online artefacts that we may collect and the conditions surrounding that collection. However, Renaissance's policy is only to collect data strictly necessary for our products to work, or that our customers request we process.

How long does Renaissance Learning maintain our personal data?

Our GDPR data retention policies are set forth in the respective privacy policies.

Where is personal data stored?

Personal data collected in the context of our Renaissance applications is stored on our secure servers in the United States. It is important to remember that the GDPR does not contain any obligation to store information only in Europe. However, transfers of European personal data outside the European Economic Area (“EEA”) generally require that a valid transfer mechanism be in place to protect the data once it leaves the EEA (See Chapter V, Articles 44-50). On this issue, Renaissance Learning is GDPR ready by adhering to the EU-US Privacy Shield Framework and other mechanisms.

Personal data collected in the context of myON products is stored on an Amazon Web Services (“AWS”) server in the United Kingdom, but is accessed by our research and product teams in the United States. As a result, we treat AWS-housed Personal Data as if it was transferred to the United States and on this issue comply with the EU-US Privacy Shield Framework and other relevant mechanisms.

EU–U.S. Privacy Shield

Renaissance Learning (including myON) participates in and is certified under the EU-U.S. Privacy Shield Framework (the “Framework”). That means, that in addition to the GDPR strictures, Renaissance has certified that it adheres to the Privacy Shield Principles of Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement and Liability. To learn more about the Privacy Shield Framework, visit https://www.privacyshield.gov/. To view our certification, visit the U.S. Department of Commerce’s Privacy Shield List.  If you have questions about our participation in the Privacy Shield program or have a complaint, please send an email to [email protected].

Other GDPR FAQs

For some companies, the GDPR will change the way data is collected, as well as how those companies obtain, document, and manage the legal basis for processing. Below is an overview of some of the key GDPR requirements and how Renaissance Learning addresses them, where applicable. Please note that other questions, such as school control of data, what information Renaissance collects, how that data is used, and how in limited circumstances Renaissance may share that information are addressed in our application privacy policy, found in the Application Privacy Policies box on this page. As always, if you have any questions, please do not hesitate to contact our Data Protection Officer at [email protected].

Application Privacy Policies

For information on Renaissance Learning practices with respect to our software applications and the privacy of all student data, refer to the documents below:  

Key requirements

Brief description and Renaissance Learning's position

Data protection by design and default

Controllers (schools) and Processors (Renaissance Learning) must incorporate data protection into new products and services that involve processing of personal data and consider data protection issues in all business decisions. Renaissance Learning is ready to adhere to this principle.

Lawfulness of processing

Processing must be based on one of a number of different lawful bases, such as consent, performance of a contract, legal obligation, protection of vital interests, tasks carried out in the public interest, or legitimate interest balanced against the fundamental rights of data subjects. Where Renaissance Learning is the Processor, it defers to its customers to provide the lawful basis for collection and processing as the data Controllers under the GDPR.

Conditions for consent

In those situations where consent is required, consent must be freely given, informed and unambiguous. Where Renaissance Learning is the Processor, it defers to its customers as the Data Controllers under the GDPR for securing any required consents. Further details regarding consent may be found in the agreements between you and Renaissance Learning.

Security of processing

Keeping personal data secure is important, and the GDPR requires that Controllers and Processors implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Renaissance Learning takes the security of the personal data it processes seriously and follows the leading industry standards for data security. Further details can be provided upon request.

Data Subject Rights & information

Articles 13 and 14 of the GDPR set forth requirements related to Data Subjects’ Rights. Renaissance Learning is equipped to assist its customers with their obligations with these new Data Subject Rights. Please contact your Renaissance representative or our Data Protection Officer at [email protected]

Data protection impact assessments

Controllers and Processors must create centralized repositories containing records of processing activities carried out on personal data.

Data Protection Officer

Where a Controller’s or Processor’s core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or the large-scale processing of special categories of data, they must appoint a Data Protection Officer. Renaissance Learning has appointed a Data Protection Officer, who can be reached at [email protected] with any questions. Additional contact information can be provided upon request.

Controller-Processor relationships

Binding contracts that set forth the terms of process to be performed and provide Controllers the right to object to Sub-Processors engaged by the Processors are required between Controllers and Processors.

Data breach reporting

The GDPR imposes new requirements related to breach notifications. The GDPR requires that, where feasible, the Controller shall notify the relevant Supervisory Authority within 72 hours after becoming aware of a breach involving Personal Data. If there is a likely high risk to the rights and freedoms of natural persons, the affected data subjects will be notified without undue delay. Renaissance Learning is ready for its obligations here as well, in the unlikely and unfortunate event it is necessary. We will also assist our customers in complying with their obligations related to data breach notifications.

Brexit Update (as of 11 March 2019)

Renaissance has been following closely the various potential outcomes of Brexit. While there will be little immediate change from a data-compliance perspective under situations where the U.K. leaves the E.U. in a negotiated fashion, if there is no deal, compliance mechanisms will vary depending on the situation. See the table below for more information:

Personal Data Origination

Personal Data Recipient Country

What this means under a “No Deal” Brexit

European Union

United Kingdom (e.g., myON UK AWS server, customer support, sales, similar functions)

Until the EU makes an adequacy decision with respect to the UK, transfers shall be made in accordance with GDPR Article 49(1)(c), Derogations for Specific Situations or, if requested by a school, under model clauses

European Union

United States (e.g., Renaissance products; support functions for myON UK)

No impact – EU-US Privacy Shield still applies to EU to US personal data transfers

United Kingdom

European Union

No impact on personal data transfers

United Kingdom

United States

EU-US Privacy Shield applies, with slight modifications (see https://www.privacyshield.gov/article?id=Privacy-Shield-and-the-UK-FAQs).