GDPR is a new European Law that give rights to individuals’ regarding their information/data (online as well as offline/hard copies) and new regulations for organisations in how they process and use this data.
“The mutually agreed General Data Protection Regulation (GDPR) came into force on May 25, 2018, and was designed to modernise laws that protect the personal information of individuals. It also boosts the rights of individuals and gives them more control over their information.”
DVT Insights 12 Feb 2019
GDPR enforces controls between the Data Controllers who use and share your data, the Data Processors who gather and store your data and you, the Data Subject. MultiMe welcomes the new regulations and the transparency and control it brings to data subjects in Europe. Unlike most other social networks, we are not in the business of selling our users’ data to marketing agencies, or other third parties for profit. At MultiMe our mission is to provide our end users with a platform and toolkit that gives them control over their own data/information. In order for us to market our product and provide the functionality our users require, we do need to collect and store some personal data from you, and be GDPR compliant in how we do this.
The Data Subject
The data subject is the individual who is identified from the data. So for example, a user of the software could physically input data about you/your child into MultiMe, meaning you/your child would be the data subject, not the user who has inputted the data.
The Data Controllers
“data controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed “
Examples of Data Controllers are Multi-Me Ltd. and organisations that are supporting users with their own MultiMe accounts or hosting MultiMe for service users.
The Data Processors
“data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.”
Examples of Data Processors are Multi-Me Ltd. and any third party software services that we use to process data. For example we use Amazon Web Servers to host the software and data, we use Telestream to encode your videos.
What is personal data/information?
Examples of personal data:
- a name and surname
- a home address
- an email address such as firstname.lastname@example.org;
- an identification card number
- location data (for example the location data function on a mobile phone)
- an Internet Protocol (IP) address
- a cookie ID*
- the advertising identifier of your phone
- data held by a hospital or doctor, which could be a symbol that uniquely identifies a person
- Photographs and media can be considered personal data if they are ‘obviously about a particular individual’. At MultiMe we treat all photos and videos as personal data for this reason.
Multi-Me needs to comply to GDPR as a Software Provider
Multi-Me Ltd. is the company that hosts the MultiMe and WikiMe software and is a Data Processor. We also use other companies to provide services on the platform that also need to be GDPR Compliant, they are listed as third party services that we use. Data Processors are responsible for:
- Keeping up to date records of data processing activities
- Maintaining appropriate data security for our products
- Getting consent from our Users for any data processing and from guardians of children under 16
- Appointing a data protection officer (DPO) and providing sufficient staff training about GDPR
- Carrying out risk assessments on any new data processing activities
- Implementing data protection by design (default settings)
- Taking responsibility of the security and GDPR compliance of third party services that we use
- Notifying data protection agencies and affected individuals on any data breach
About families and friends using MultiMe
“Family and friends” are not data controllers or processors, though perhaps they need to follow some rules of courtesy in a similar way to how they might use social media, e.g asking permission before taking a photo and uploading it.
Individuals do not relate to GDPR, but do need to comply to the Mental Capacity Act, if the individual is over 16. Families, friends and supporters will need to adhere to the Mental Capacity Act in deciding whether or not consent, or a best interest decision, is required to upload data on behalf of an individual.
About organisations using MultiMe
Organisations working with individuals using MultiMe will also need to be GDPR compliant in how they do this as potential data controllers alongside Multi-Me Ltd. Merely viewing a user’s data as an organisation is not being a data controller, inputting details about the individual, uploading photos of them, or using an individuals’ data to generate a report etc…is being a data controller. Like any other software, or data gathering activity, the use of our software by a service provider and their staff should be included in their own data protection policies and GDPR compliance. For more information about making your organisation compliant please visit the ICO website
Individuals/families inviting organisations to join an account
If a school, for example, accesses the software with permission sent by the family, it will depend on whether any information is downloaded / transferred to the school system, in which case it would be “held” by the school and the school would have to act as data controller.
For any information created by the school and then a copy put on MultiMe (which is likely also to have a copy held separately by the school), the school would be the data controller.
Providers hosting accounts for individuals and inviting families/carers etc..
Where a school or provider purchases / hosts the software and is holding details of the families using it, the school will be the data controller for that data as the school collects and holds the data. If the school requires MultiMe to have access to the data (eg. to administer part of the system, or to fix a technical issue), MultiMe would then be the data processor.
Families need to be made aware of how a school etc.. would use their data if the school is hosting the system, through a school privacy notice, and also, that by sharing information with a school etc. the school has responsibilities under GDPR (and other things like safeguarding) to keep the families’ information safe, to only share it in certain circumstances and to destroy it after a certain period of time.
If you have any questions about GDPR or data protection and our software, please email them to us at: email@example.com