General Data Protection Regulation (GDPR)
One of MSL’s top priorities is the security of clients’ data as well as data provided by individuals to MSL for other business purposes. For us, this goes hand in hand with maintaining compliance with all applicable legislation and regulation governing the processing of that data.
You will be aware of the updated data protection law, the General Data Protection Regulation (GDPR), which comes into force in May 2018. Whilst MSL regrets it cannot give legal advice to its clients (all of whom should take responsibility for their own compliance), we will share with our clients the challenges of understanding the GDPR and ensuring our compliance over the coming months.
MSL has an ongoing GDPR compliance programme in preparation for the new laws and we are monitoring guidance from the UK Information Commissioner’s Office (ICO) and European authorities as it becomes available.
At this stage, we believe it will be necessary to make some changes to the privacy terms and notices on the MSL web site and to our European client licence and service agreements.
Our objective is to ensure compliance by MSL and work with our clients as they endeavour to comply too. If you are an existing MSL client and will be affected by this, MSL will be in touch with you in due course.
While the regulations apply directly to all our European clients, there will also be advantages in enhanced security and flexibility for our other clients, as a consequence.
MSL proposes to use this page to post relevant news and updates on GDPR to inform and assist its clients to prepare for GDPR compliance.
As product changes are approved for inclusion in MSL’s Roadmap, these will be described on the Roadmap pages and also referenced here.
MSL has completed the essential legal drafting of new agreements for new clients and a standard contract variation for existing clients to maintain compliance with legislation on data protection through the introduction of GDPR.
We are now consulting with our legal advisers and with clients on the introduction of a standard data retention policy for personal information, which will be included with the new agreements. Any client who wishes to offer us their views or be included in the consultation is very welcome to send them to us at email@example.com.
Another useful resource from the ICO in the shape of this 12 step checklist to ensure you're organisation is prepared for May 2018:
The ICO has helpfully provided a self-assessment tool for organisations planning its own compliance programme:
If you have questions about MSL's GDPR compliance programme, please contact us using the form opposite.
MSL Community Q & A
MSL provides this information in good faith for the benefit of its clients but accepts no responsibility or liability for its accuracy in law or otherwise. Clients are advised to seek their own legal advice. MSL reserves the right to modify or delete this information without notice.
Q What if a student changes their mind about their data sharing - i.e. whether it's to give or withdraw permission - is there something in place that can switch on or off a student's data feed from the University without SU staff having to manually do it?
A Adding or removing a student’s data from the feed that is provided to MSL is the responsibility of the data controller i.e. the Students’ Union / Association and/or their University or College.
Q What steps are in place to identify a data breach? I presume we may need to share this with our University in order to help reassure them.
A Our forthcoming GDPR compliance contract change will include MSL’s obligation (if it is MSL’s breach) to report a personal data breach without undue delay and in any event within 48 hours, in recognition of the data controller’s obligation to report to the ICO within 72 hours. If it is the client’s breach (e.g. an unencrypted file goes awry) then it’s their obligation.