RM and Transition
to the GDPR
The General Data Protection Regulation (“GDPR”), which came into force on 25 May 2018, is a regulation which is intended to strengthen and unify data protection for individuals within the European Union. It has introduced new responsibilities for Controllers and Processors, increase the rights of data subjects and have far tougher sanctions than the current Data Protection Act, which it will supersede. The GDPR has been incorporated into UK law as the Data Protection Act 2018 (“DPA 2018”).
This statement outlines RM’s approach and commitment to GDPR and DPA 2018 compliance.
RM has always taken its responsibilities towards data protection seriously. RM is the Controller for some sets of data, including but not limited to its employee data and data of its consumer customers. It is also the Processor for customers, suppliers and other third parties; managing and processing their personal data. Both these roles will see increased accountability and compliance under the GDPR.
From early 2017, RM undertook preparations in order to become fully GDPR compliant in good time for May 2018. RM established the RM GDPR Working Group, with membership drawn from across the RM Group, to oversee the transition work. The purpose of the RM GDPR Working Group was to: (a) examine existing security and data protection systems and processes; (b) identify the collection, usage, storage and disposal of personal data; and (c) report progress to the Group Security & Business Continuity Committee, which acts on behalf of the Board on all matters relating to security and data protection governance.
The Information Commissioner’s Office (“ICO”) issued a number of guidance documents on GDPR transition, including “Preparing for the General Data Protection Regulation (GDPR) – 12 steps to take now”. RM used this guidance to structure its approach to the GDPR and data protection in general, and where necessary, made the appropriate updates to policy and/or practice. RM will continue to review its approach to GDPR and DPA 2018 compliance in accordance with any guidance issued by the ICO in the future.
RM has, where necessary, amended its activities and associated policies and procedures in order to comply with the GDPR, following a thorough assessment by the RM GDPR Working Group.
For the purposes of this statement, “RM” and “RM Group” means RM plc (Reg No. 01749877), RM Education Ltd, RM Results (trading division), RM Educational Resources Ltd, and TTS Group Ltd. See the latest RM plc Annual Report for further details about RM.
RM and Brexit - Company Statement
Like most organisations in the United Kingdom, RM has been preparing for all eventualities with respect to the UK leaving the European Union, since it was initially proposed.
On 24th December 2020, the UK government announced that a trade deal had been reached with the EU. Although the details of the agreement have yet to be fully evaluated, RM wishes to reassure all customers that RM expects to be in a position to continue to provide all of its products and services with the same levels of professionalism and care that customers have received over the past 45 years, and as they would expect in the future.
Whilst the trade agreement does not cover international data flows and to date the EU has not determined whether or not the UK will be deemed to have an “Adequacy” status, thereby maintaining an equivalent legal basis for data transfers as when the UK was part of the EU, RM do not believe this should give customers reason for concern. The EU and the UK have agreed a six-month period during which the UK will not be considered to be a “third country” and all data flows to and from the EU can continue under existing contracts, agreements and regulatory frameworks, during which time we expect an agreement to be reached.
Further, work has been done and continues to be done to ensure that appropriate legal protections are incorporated into RM contracts to ensure that even in the absence of an agreement regarding data flows, data will continue to be transferred in full legal compliance with all applicable laws, and without interruption.
Accordingly, the RM position on data flows is as follows:
- the UK Government has already stated that it will convey Adequacy on data flowing from the UK to the EEA, so data can flow from the UK to the EU as currently;
- if the EU grants the UK Adequacy status, data will be able to flow from the EU to the UK as currently;
- if Adequacy is not granted during the next six months, as per ICO guidance, EU “model clauses” are in place with our relevant data providers (who host our data “in the cloud” via their EU datacentres), which provides a legal basis under which data can flow from the EU to UK as currently.
On that basis, RM believes that we have the appropriate legal frameworks in place to continue to operate as now, with data flowing between the UK and EU in both directions as we currently do.
This approach will be kept under review and will take account of any future decisions by the EU or the UK government, and in the light of any future guidance by the ICO.
Updated 4th January 2021
Brexit FAQs
Q. Where is my data stored?
A. Many of RM products and services are hosted in Microsoft Azure, with data centres in Dublin and Amsterdam. The legal framework for this is set out in the Terms & Conditions for products and services, as well as RM’s Privacy Policy, which are accessible via RM web sites and product portals.
The main exception to the above is RM Integris, which is hosted in UK data centres.
Further information is available below in product sections.
Q. Can our data be accessed from outside the EU?
A. As set out in the Privacy Policy, RM’s provision of the products or services to you may require the transfer of Data to RM’s wholly owned subsidiary, RM Education Solutions India Private Limited (“RMESI”), which operates outside the European Economic Area (EEA). RMESI have signed standard contractual clauses (“model clauses”) which have been approved by European Commission for transfers of personal data outside of the EEA. Further details can be found in the Privacy Policy, which is accessible on all RM web sites.
Q. What impact will Brexit have on the security of our data?
A. None. The data will still be managed in accordance with the strict security controls in place prior to Brexit.
Q. What impact will Brexit have on the availability of our data?
A. None. The data will still be accessible through the products and services that you currently use.
Q. What impact will Brexit have on RM’s supply chain?
A. At the current time, no significant changes are planned for RM’s technical supply chain, e.g. third party or cloud hosting.
Q. Will RM update its Terms & Conditions, and its Privacy Policy, in the light of Brexit?
A. RM keeps these documents under regular review and will revise them if and when this is required by any changes arising from exiting the EU.
GENERAL FAQs
Q. Has RM changed and reissued contracts / terms and conditions in light of the change in data protection legislation?
A. RM has used the ICO’s transition guidance to review its legal and contractual obligations, and has made any necessary amendments to policy or practice. As part of this work, we have updated both our Privacy Policy and the Terms & Conditions relating to our products and services. These changes were completed by 25th May 2018.
Additionally, we have conducted a review of existing negotiated contracts and, where amendment was required, we have engaged with customers and suppliers to agree such changes.
Q. Is RM’s Privacy Policy compliant with the GDPR?
A. RM has used the ICO’s transition guidance to review its legal and contractual obligations, and has made any necessary amendments to policy or practice. As part of this work, we updated our Privacy Policy, which is available on our website.
In addition, during 2018 the PECR (Privacy and Electronic Communications Regulations), which sets additional requirements for how organisations use cookies, will be replaced by the ePR (e-Privacy Regulation). RM will make any required amendments to the Cookies Policy and practice in the light of this legal change.
Q. Are RM’s processes relating to obtaining and managing consent compliant with the GDPR?
A. The ICO has issued a number of guidance documents on GDPR transition, including “Preparing for the General Data Protection Regulation (GDPR) – 12 steps to take now”.
RM has used the ICO’s guidance on consent to review how it obtains and manages consent. Where current practice was deemed not to be compliant with the GDPR, it has been changed.
Q. Is RM’s use of cookies compliant with the GDPR?
A. RM has used the ICO’s GDPR transition guidance to review its legal and contractual obligations, and has made the necessary amendments to policy or practice, including how we use cookies on our web sites and customer-facing platforms. Where current practice was deemed not to be compliant with the GDPR, it has been changed. Our Cookies Policy has also been updated.
In addition, during 2018 the PECR (Privacy and Electronic Communications Regulations), which sets additional requirements for how organisations use cookies, will be replaced by the ePR (e-Privacy Regulation). RM will make any required amendments to the Cookies Policy and practice in the light of this legal change.
Q. Does RM have a Data Protection Officer?
A. RM has appointed a Data Protection Officer, who can be contacted at dataprotection@rm.com
Q. Does RM have a Data Protection Policy?
A. The Data Protection Policy can be downloaded here.
Q. Where does RM store customer data?
A. RM stores customer data in secure data centres within the EEA.
Q. How long does RM retain customer data?
A. RM retains customer data in accordance with contractual requirements, its Privacy Policy and product Terms and Conditions. In addition, specific products allow customers to determine and implement their own data retention periods for their data.
Q. How does RM ensure compliance with individuals’ rights under the GDPR?
A. RM’s Data Protection Policy summarises RM’s approach. If, for example, an individual or customer believes that their data held by RM is inaccurate in some way, then RM will investigate this, and where required, rectify any confirmed inaccuracies. Processes for data retention, data erasure, data rectification, etc. may vary between different products and services.
Q. How will RM respond to a Subject Access Request from a customer?
Where a data subject makes a SAR, or a Controller asks RM to support them in responding to a SAR, the response will be determined by a number of factors, e.g. the nature of the data to be retrieved and the type of system or systems in which the data is stored. RM’s SAR process takes account of the revised timescales and obligations under the GDPR.
Q. Does RM share customer data with third parties?
A. Customer data is shared with third parties where this is required by contracts, or is necessary to provide specific services. The details of where data is shared is set out in the Privacy Policy and in product Terms and Conditions.
Q. What technical and non-technical controls does RM use in order to ensure data security?
A. RM has a Group Information Security Framework, based on ISO 27001, the international standard for information security management. In addition, a number of business units are certified to ISO 27001:2013.
A wide range of technical controls are used, including but not limited to:
- Data encryption
- Anti-virus and anti-malware software
- Network monitoring
- Access management
- Vulnerability scanning and penetration testing
- Physical security controls at RM offices
- Security policies, including Data Classification & Handling, Data Protection, etc
- Security training
Technology from RM
Q. What has RM done to ensure that it is compliant with the GDPR?
A. RM is part of the RM Group and participated in a Group-wide GDPR Transition Programme. This Programme used the ICO’s guidance documents on GDPR transition, including “Preparing for the General Data Protection Regulation (GDPR) – 12 steps to take now”. For further information on this, please refer to the General FAQs section.
RM applies a range of data protection and information security controls in accordance with Group security policies. In addition, ISO 27001:2013 certification is maintained by two of its business areas; Connectivity Services and RM Unify.
During 2018, a new Group Information Security Framework is being implemented across the RM Group, including RM . Adherence to the Framework will be audited by a central compliance function.
Product queries
Q. What has RM done to ensure that RM Unify supports compliance with the GDPR?
A. For details on RM Unify please click here.
Q. What has RM done to ensure that RM Safetynet supports compliance with the GDPR?
A. For details on RM Safetynet please click here.
Assessment from RM
Q. What has RM done to ensure that it is compliant with the GDPR?
A. RM is a trading division of the RM Group and participated in a Group-wide GDPR Transition Programme. This Programme used the ICO’s guidance documents on GDPR transition, including “Preparing for the General Data Protection Regulation (GDPR) – 12 steps to take now”. For further information on this, please refer to the General FAQs section.
RM’s e-assessment and data management business is based on long-term contracts with a range of governmental and non-governmental organisations. These contracts set out specific requirements for data protection and information security. Where necessary contracts have been updated to reflect the replacement of the Data Protection Act 1998 by the GDPR.
As a data management business, data security is critical to RM. RM is certified to ISO 27001:2013, the international standard for information security management. The certification covers all products and services. Key suppliers, such as scanning partners and hosting providers, are also certified to ISO 27001:2013.
Further information on specific products and services is available on request.
TTS Group (“TTS”)
Q. What has TTS done to ensure that it is compliant with the GDPR?
A. TTS is part of the RM Group and participated in a Group-wide GDPR Transition Programme. This Programme used the ICO’s guidance documents on GDPR transition, including “Preparing for the General Data Protection Regulation (GDPR) – 12 steps to take now”. For further information on this, please refer to the General FAQs section.
TTS applies a range of data protection and information security controls in accordance with Group security policies. In addition, TTS ensures that it maintains PCI DSS compliance in order to protect card payments.
During 2018, a new Group Information Security Framework is being implemented across the RM Group, including TTS. Adherence to the Framework will be audited by a central compliance function.
Enquiries
All enquiries about individual GDPR matters should be made to our Group Data Protection Officer.
Please email dataprotection@rm.com