General Data Protection Regulation (GDPR)

On 25 May 2018, the General Data Protection Regulation (GDPR) will be enforced across Europe, including the UK. The law aims to give EU citizens more control over their data and to create a uniformity of rules to enforce across the continent.

The GDPR covers all data controllers and data subjects based in the EU. It also applies to organizations based outside the EU that process the personal data of its residents.

About GDPR Guidelines

Under the GDPR, the definition of personal data is quite broad and will cover anything that points to their professional or personal life, including names, photos, emails IDs, bank details, social networking posts, medical information, or computer IP address.

Given the complexity of the rules set out by the GDPR it is not surprising that most of our customers are overwhelmed with understanding their obligations. While Finalsite cannot provide you legal advice specific to your organisation’s obligations, we can assist you with further information on how to help you manage your personal data more effectively - internally and externally:

1.    Know what you have, and why you have it
2.    Manage data in a structured way
3.    Know who is responsible for it
4.    Encrypt what you wouldn’t want to be disclosed
5.    Design a security aware culture
6.    Be prepared – expect the best but prepare for the worst

Data Breaches

Mandatory obligation to manage and report data breaches within 72 hours.

Data Processors

It is the school’s responsibility to ensure 3rd party suppliers comply with GDPR the data they process for you.

Tougher Penalties

High fines will be enforced for non-compliance as well as potential impact of Ousted ratings from data policies and processes deficiencies.


Increased demands on legal agreement with all suppliers, on ensuring how data is stored and processed.

Finalsite & GDPR

What is GDPR?

The General Data Protection Regulation (GDPR) was adopted by the EU in April 2016 and will replace the current EU Data Protection Directive 95/46/EC. 

The purpose of the GDPR is to protect the fundamental rights and freedoms of EU citizens and the use of their personal data.  It provides regulations for each EU member state to implement uniform data security law for all its citizens.  In addition to EU members, it is important to note that companies such as Finalsite, who markets goods or services to EU residents, regardless of its location, will also be required to comply with the regulation.

The GDPR introduces new obligations to Finalsite as “data processors” and our clients as “data controllers”, including those based outside the EU for data relating to EU citizens across all industries.   

The core concept behind the GDPR is that Data Privacy and Integrity is a right available to all EU citizens and residents and is based upon six core principles:

1. Lawfulness, Fairness and Transparency
2. Purpose Limitation
3. Data Minimisation
4. Accuracy
5. Storage Limitation
6. Integrity and Confidentiality

Data controllers and processors which do not comply with the regulation can incur fines of up to 4% of annual worldwide turnover or €20 million (whichever the higher). 

What is Finalsite Doing to Comply with GDPR?

The GDPR aims to bring coordination across the EU regarding data privacy. There are many aspects to be considered to ensure full compliance for data controllers and processors irrespective of their location. The Regulation will affect many companies differently, particularly those such as Finalsite who are required to hold and process large volumes of personal data. 

Our role as a data processor of your personal data is one that we take seriously.  In response to this, Finalsite has expanded its security and legal teams with the intent of designing and undertaking on-going assessments of all aspects of our business to ensure that we are able to account for all the personal data in which we are instructed to process.

As a data controller you can be confident that as a result of these constant reviews, Finalsite will continuously be updating all of our existing procedures which are in place to ensure our compliance with the GDPR.

However, continuing to provide our data controllers with robust business processes for the protection of personal data is only half of the solution we provide.  In addition, Finalsite has made a considerable investment in our technologies and infrastructure to ensure that we operate our platform in a secure, high-integrity operating environment to further strengthen your personal data protection.

GDPR component chart



Review, analyze and update Finalsite’s infrastructure to ensure state of the art performance of our products while maintaining necessary security protocols.

Data Mapping

Intimate knowledge of the information flow for personal data within Finalsite’s solution web. Our customers can always be assured that we are in full control of the personal data we receive.

Business Process

Finalsite always seeks to implement Best in Class business process through sound industry practice and our own innovation – the amendments required for GDPR will be reflected here.

Access Control

Implementing suitable access controls to ensure that only authorized resources can have access to our data.


Take all steps to ensure that consent is clear, affirmative and specific.

Sub-Processor Vendors

Continue to provide transparency as to the quality sub-processor vendors we use to process personal data to our customers and to guarantee their adherence to the GDPR standards.

Application Updates

To communicate the innovative changes we make to our applications and products and to ensure our GDPR obligations are maintained.

Customer Contracts

Finalsite has and will continue to enter into legal agreements, including Data Processing Agreements, in order to update and secure its legal obligations to its customers.


Data mapping is the first step – continuous tracking is our on-going commitment to our customers. Finalsite will continue to track its data and processes to adhere to GDPR standards.

How Does the GDPR affect schools?

The GDPR brings new demands and challenges that will impact school resources and ultimately finances.

Primarily, the GDPR elevates the school’s obligation to inform parents and students about how their data is being used and by whom. There seems to be a lot of panic related to the introduction of GDPR, however, the good news is that compared to many private organisations, schools are much better placed to address the new regulations. Whilst there are many extra demands required to map and audit how personal data is stored and shared, schools with or without data protection policies should see the GDPR as an opportunity to improve the way they work.

The main topics schools should be considering in their approach to GDPR compliance includes:

  • Consent – under the GDPR, consent must be explicitly given by a parent or student (depending on their age) to anything that is not within the normal business of the school, especially if it involves a third party managing the data.
  • Data Protection Officer – most schools will need to appoint a Data Protection Officer in order to be GDPR compliant.
  • Data Protection Agreements (DPA) – it is incumbent upon schools to not only themselves be compliant with the regulation but to also ensure that their third party suppliers who process any of their data are GDPR compliant.  A sure way of doing so is to have a legally enforceable DPA that outlines what personal data is being processed, who it is being processed by, who has access to it and how it is protected by the third party supplier.
  • Data monitoring – schools will be required to have the ability to monitor the use of its personal data and of any breaches that may arise.  For example, it will be compulsory that all data breaches, which are likely to have a detrimental effect on the data subject, are reported to the ICO within 72 hours.

How can Finalsite help you with GDPR compliance?

First, by being compliant ourselves!

Finalsite has a team in place dedicated to compliance with the GDPR and all related security and data protection issues. But do not take just our word for this. 

Mark Orchison is the Managing Director of 9ine - an industry leader in the field of GDPR compliance for schools and a strong partner with Finalsite in this space. On our GDPR compliance he states:

“Finalsite has always been a pioneer in the school website industry and their on-going application to GDPR compliance is no different.  They have taken and continue to prioritize product security and data protection as a level 1 initiative. They have also put in place and continue to review and add best practice policies that are needed to help them and their school customers enforce regulatory compliance and remain innovative in this space.”

Secondly, by partnering with industry leaders such as 9ine, we provide our customers with access to all they need to know about GDPR compliance.  9ine’s consultancy services provide expertise in audit and compliance strategies for your school that include technology, data protection, cyber security, safeguarding and the cloud.

Request More Information on GDPR

Have questions on GDPR? Speak with one of our experts for more information.