NWEA MAP Growth Overview
The European Union's new General Data Protection Regulation (GDPR) went into effect on May 25, 2018. It replaced the Data Protection Directive 95/46/EC and contains several new protections for EU data subjects. It also contains new requirements for organizations like NWEA and for our partners (controllers). The purpose of this overview is to provide our partners with a high-level description of how NWEA MAP Growth will comply with the GDPR and how partners as controllers have a role in supporting NWEA's compliance.
As a data processor, NWEA understands its obligations to comply with the GDPR. We have thoroughly analyzed GDPR requirements and have put in place a dedicated internal team to drive our organization to meet them. Our GDPR program includes:
Data Portability Right. GDPR gives data subjects the right to receive personal data concerning them. Controllers must provide the data in a commonly used and "machine-readable" format, and data subjects have the right to transmit that directly to a competitor. In support of this, MAP Growth allows controllers to download MAP Growth data for a data subject in .CSV format, which the partner can then provide to the data subject. Please note that data subject requests to NWEA for personal data under this section of the GDPR will be directed to the applicable partner (the controller) for fulfillment.
Right to Erasure. The GDPR recognizes the right to erasure. Controllers must erase personal data without undue delay if the data is no longer needed and notify third parties, including processors, to erase the personal data. Data subjects also have the right to withdraw consent. In the event a partner receives such a request from a data subject or determines that the data is no longer needed, partner shall send a written request to NWEA via email to email@example.com and include the following: (i) requestor's name, title and contact information; (ii) the name of requesting school or entity with NCES # (if applicable); (iii) a request to erase the data subject's information; (iv) the data subject's first and last name; and (iv) an attestation that requestor is duly authorized and has legal capacity to execute the request.
Right to Rectification & Access. Schools can use this overview and NWEA's explicit consent to process personal data form if a data subject requests a right to access their personal data under the GDPR. In the event a data subject requests to rectify inaccurate personal data, NWEA will work with the administrator of the applicable school to correct such information.
Data Security. As a processor of personal data, NWEA develops and implements privacy and information security measures to protect the confidentiality, integrity and availability of partner personal data. In doing so, personal data is processed in a manner to ensure the appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. Further information on MAP Growth's data security measures can be found in NWEA's MAP Growth Security Whitepaper located here: https://legal.nwea.org/map-growth-information-security-whitepaper.html. NWEA also conducts information security and privacy employee training, including GDPR training to applicable internal departments.
Breach Notification. In the event a breach of security leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed by NWEA, NWEA will notify the applicable controller without undue delay and, where feasible, not later than 72 hours after becoming aware of the confirmed incident. Under the GDPR, notification is not required if: (i) the breach is unlikely to result in a high risk for the rights and freedoms of the data subject; (ii) appropriate technical and organizational protections were in place at the time of the confirmed incident (e.g. encrypted data); or (iii) notification would trigger disproportionate efforts (instead a public information campaign or similar measures should be relied on so that affected individuals can be effectively informed).
Additional questions regarding NWEA's MAP Growth GDPR program can be sent to firstname.lastname@example.org.
NWEA Legal Services Team
Document Last Modified: November 7, 2018