Data Protection: How AwardSpring Complies with New GDPR Guidelines

Have you heard about the new data privacy law affecting European Union (EU) citizens? Are you wondering whether there’s anything you need to do with the student data you collect through AwardSpring to comply? Some of our competitors have released complicated and confusing explanations of GDPR. At AwardSpring, we think it’s important to explain the new law in an easy-to-understand way. Read on for a plain-English primer of the new regulation and an explanation of how AwardSpring can help you comply with the new law.

About General Data Protection Regulation (GDPR)

On May 25, 2018, the EU implemented GDPR, a law that regulates how companies store, use, and explain how they use personally identifiable user data. All organizations that handle the data of EU citizens must comply with GDPR, no matter where those organizations are based.

Here are the core elements of GDPR, along with details about how AwardSpring facilitates customers’ compliance:

Organizations must be clear about how data is used. Since AwardSpring’s launch, we’ve been committed to making our data usage policies clear and easily available to our users. Our privacy policy was written in plain English to make it as easy to understand as possible.

As a service provider, AwardSpring actually does very little with user data; it’s our customers who collect and use user data through our platform. That’s why we require all customers to provide us with their own easy-to-understand privacy policy that explains how they use applicant data. We publish a link to your privacy policy alongside our own on every page of the application.

Organizations must collect only necessary data. AwardSpring recommends that customers limit the user data they collect to just the essentials for the scholarship application process..

Organizations must allow users to request the deletion of their data if the personal data is no longer necessary.  Any AwardSpring customer or user can request that we delete his or her data at any time. In response, customers can delete users, which removes all associated data - so be sure that you no longer need the data before deleting a user!

Organizations must meet technical requirements for data storage.  AwardSpring meets the technical requirements outlined by the law, which includes:

-Having an information security policy and regular reviews

-Utilizing encryption

-Maintaining multiple, redundant forms of backup across disparate geographic locations

-Training staff on user privacy

Organizations must disclose any privacy breaches.  In the unlikely event of a data breach, we are contractually obligated to notify our customers in writing as soon as possible.

Organizations must test regularly for vulnerabilities.  AwardSpring regularly uses automated scans to check for vulnerabilities in our system.

While the vast majority of AwardSpring’s data is for non-EU citizens, we are still committed to complying with GDPR’s common-sense, user-first data protection guidelines. If you are an AwardSpring customer, we recommend that you review your own privacy policy to ensure it complies with GDPR, too. Be sure to send us an updated version of your privacy policy if you do make any changes. And if you have any questions at all about our data protection policies, please get in touch !