1. What do I need to do as a customer of IRIS Connect to ensure we are GDPR compliant?
2. How does GDPR affect organisations being able to record video?
4. Is IRIS Connect GDPR compliant and able to demonstrate compliance?
5. Do you have a process for deleting personal data when asked by the data controller?
6. What data does IRIS Connect hold in relation to our organisation?
7. How long does IRIS Connect store our data for?
8. Who does IRIS Connect share our data with?
9. Does your organisation provide training to staff on data protection management?
12. In the event of a data breach, what is the process?
13. Should there be a breach, please confirm that you notify us as soon as you are aware?
15. Are you registered with the Information Commissioner’s Office?
16. Does your organisation have differentiated access to data depending on the level of sensitivity?
17. Are data management procedures regularly reviewed?
18. Who is the person responsible for data management/protection in your organisation?
19. What action are you taking to comply with the GDPR?
20. Do you have any information management accreditation?
21. Do you provide a processor contract that is updated to reflect the GDPR changes including?
22. Does IRIS Connect process only on documented instructions, including international transfers?
34. What type of data are you collecting and processing?
1. What do I need to do as a customer of IRIS Connect to ensure we are GDPR compliant?
Please see this article on GDPR compliance.
2. How does GDPR affect organisations being able to record video?
Please see this article on GDPR compliance.
3. Where is the data we upload to the IRIS Connect platform stored? What is the data storage location?
For the locations of where your data is stored see our Organisation Agreement, section 16.3.
4. Is IRIS Connect GDPR compliant and able to demonstrate compliance?
IRIS Connect is GDPR compliant. To review all our policies and certificates see our GDPR page
and our compliance statement.
5. Do you have a process for deleting personal data when asked by the data controller?
Yes – see our policies:
Data Retention Policy, Privacy Notice, Organisation Admin Agreement.
6. What data does IRIS Connect hold in relation to our organisation?
Please see the IRIS Connect Privacy Notice.
7. How long does IRIS Connect store our data for?
For data where you are the Data Controller, you manage how long the data is stored. See the Data Retention policy and Organisation Admin Agreement for more information.
For data where we are the Data Controller, see the privacy notice.
8. Who does IRIS Connect share our data with?
IRIS Connect does not share any data where you are the Data Controller and IRIS Connect is the Data Processor.
For any data where IRIS Connect is the Data Controller, we only share data with our partners who have been certified by IRIS Connect to exclusively represent them in specific regions. Further information on this can be found on the privacy notice.
9. Does your organisation provide training to staff on data protection management?
All staff are provided with the necessary training on GDPR including data protection management
10. What technical and organisational security measures do you have in place to protect personal data?
Please see our Security Measures and Controls document for our security provisions and procedures as well as our security and safeguarding articles.
11. Do you have a written policy for data protection? If yes, does it provide a procedure for data breaches and notification of customers of a breach?
Yes see our data policies on the GDPR section of the Support Hub, in particular, the Data Breach Response and Notification Procedure.
12. In the event of a data breach, what is the process?
Yes see our data policies on the GDPR section of the Support Hub, in particular, the Data Breach Response and Notification Procedure.
13. Should there be a breach, please confirm that you notify us as soon as you are aware?
Yes see our data policies on the GDPR section of the Support Hub, in particular, the Data Breach Response and Notification Procedure.
14. In the event of a breach please confirm that you will cooperate with us to report, manage and recover data that you have also had access to or use?
Yes see our data policies on the GDPR section of the Support Hub, in particular, the Data Breach Response and Notification Procedure.
15. Are you registered with the Information Commissioner’s Office?
Yes, IRIS Connect registered as a data processor on 22nd April 2010. Our certificate can be found here.
16. Does your organisation have differentiated access to data depending on the level of sensitivity?
Yes, our staff have strict controls over who may access data and protocols for gaining permission from clients if access is required. The level of data access is tied to each member of staff’s role and its specific requirements.
17. Are data management procedures regularly reviewed?
Yes all policies and procedures are reviewed regularly.
18. Who is the person responsible for data management/protection in your organisation?
IRIS Connect’s Data Protection Officer is Simeon Drage who can be contacted on dpo@irisconnect.co.uk.
19. What action are you taking to comply with the GDPR?
We have been externally audited and certificated to ensure that we comply with the UK Government’s Cyber Security scheme. IRIS Connect has completed an additional external audit of all of its services and teams to ensure that it complies with the GDPR requirements. To support our compliance on this date, IRIS Connect has reviewed all its policies and procedures which are available on help.irisconnect.com.
20. Do you have any information management accreditation?
We have had an external audit by a Qualified Security Assessor conferred by the PCI Security Standards Council. This included a gap analysis against the international standard: ISO 27001.
21. Do you provide a processor contract that is updated to reflect the GDPR changes including?
- That you help the data controller comply with requirements regarding the data rights of the individuals (e.g. to access, delete or rectify data), secure processing, the reporting and communication of data breaches, and the conducting of impact assessments where relevant
- That the data processor (IRIS Connect) processes data only on the documented instructions of the data controller
- That you delete or return the personal data to the data controller at the end of your provision of services
- That you make information available to us to demonstrate your compliance with the obligations in our contract, and allow the data controller or a 3rd party instructed by the data controller to conduct audits and inspections
- The subject matter, duration, nature and purpose of the processing
- The data controllers obligations and rights
- The type of personal data being processed
- The categories of the data subjects
- That the people who process the data are committed to confidentiality
- That you take measures to ensure secure processing
- That you will not engage another processor without prior written authorisation from the Trust, and that if you do so, that processor will also be bound by the same data protection conditions as are in your contract with us
Yes we have updated our Organization Agreement which acts as a processor agreement. All organizations will be required to agree to this to continue to use our services. A copy of the agreement is here. Admin users will agree to this agreement via the IRIS Connect Web Platform.
22. Does IRIS Connect process only on documented instructions, including international transfers?
Yes, this is covered in the Organization Agreement, Section 5.7.1: Customer’s Instructions.
23. Does IRIS Connect only use the data we provide or that you access from our organisations in accordance with our instructions?
Yes, this is covered in the Organization Agreement, Section 5.7.1: Customer’s Instructions.
Q24.) Does IRIS Connect ensure those processing personal data are under a confidentiality obligation (contractual or statutory)?
Yes all IRIS Connect employees have agreed to a confidentiality obligation via their employment contract.
25. Does IRIS Connect ensure that anyone in your organisation understands the data they have access to is confidential and must not be shared with anyone without the data controller’s prior agreement?
Yes, this is covered in the Organization Agreement, Section 7.2: Security Compliance by IRIS Connect Staff.
26. Does IRIS Connect take all measures required under the security provisions (Article 32) which includes pseudonymisation and encrypting data as appropriate?
Yes, for details about our security see our Security Measures and Controls document for our security provisions and procedures as well as our Security and Safeguarding section of our guides.
27. Does IRIS Connect take all steps to keep data secure, whether it is paper records, emails, digital or electronic?
Yes, for details about our security see our Security Measures and Controls document for our security provisions and procedures as well as our Security and Safeguarding section of our guides.
28. Does IRIS Connect only use a sub-processor (subcontractor) with the controller’s consent (specific or general, although where general consent is obtained processors must notify changes to controllers, giving them an opportunity to object)?
Yes, this is covered in the Organization Agreement 14.4 Opportunity to Object to Subprocessor Changes. Information on our processors and data sharing can be found in the web platform privacy notice.
29. If you subcontract any part of the task, and personal information and data is required by that subcontractor, you will seek and obtain our consent before proceeding?
Yes, this is covered in the Organization Agreement 19.4 Opportunity to Object to Subprocessor Changes. Information on our processors and data sharing can be found in the web platform privacy notice.
30. Does IRIS Connect assist the controller in responding to requests from individuals (data subjects) exercising their rights?
Yes this is covered in the Organization Agreement section 12. Data Subject Rights; Data Export.
31. On occasion, we may receive a request to release information that we hold about an individual, whose data you have used or processed on our behalf. Please confirm that in those situations you will cooperate with us and provide all records about the person within a specified timeframe?
Yes this is covered in the Organization Agreement section 12. Data Subject Rights; Data Export.
32. Does IRIS Connect delete or return (at the controller’s choice) all personal data at the end of the agreement (unless storage is required by EU/member state law)?
Yes, this is covered in the Organization Agreement section 17.6.5 Termination due to Non-Renewal of Subscription/Licence.
33. Does IRIS Connect make available to the controller all information necessary to demonstrate compliance; allow/contribute to audits (including inspections) and inform the controller if its instructions infringe data protection law?
Yes, all necessary information can be found on the GDPR page of our website.
IRIS Connect permits audits, this is covered in the Organization Agreement section 10.3 Customer’s Audit Rights.
IRIS Connect will process data in providing it doesn’t infringe on data protection law. See Organization Agreement section 5.7.1 Customer’s Instructions.
34. What type of data are you collecting and processing?
For data where we are the controller you can see this on our data privacy notice.
For data where you are the controller (any data you upload) this is for you to decide what to collect and upload and for what purpose. The platform allows users to upload images, text, attachments (files), video files, audio files, screen captures and host video calls.
This data is managed by the user, controlled by the organisation and processed by IRIS Connect as outlined in the Organisation agreement and EULA.
35. Does any profiling of data subjects take place with the data you process on our behalf? What assurances can you give us?
No. Our DPA states we only process data under instructions from the data controller.
36. How is the disposal of data kept in your server assured? i.e. personal and other (e.g. Teachers' videos, students' appearances)
Can you clarify what automated removal of data takes place and how this is controlled and how is this user-driven?
Please see the Data Minimilsation article and Destruction of Data Section of the Security Measures and Controls article.
37. Do you have processes to ensure all sub-contractors with access to data will also comply with these requirements?
Any third parties go through a GDPR review process prior to being used. Any third party who acts as a sub-processor must provide and sign a GDPR compliance DPA with IRIS Connect as per the Organisation Agreement, Use of Sub Processors (Section 17).