Like many of you, CEM has been working over the last twelve months to ensure its technologies, its processes, its procedures and its staff would be compliant with the new EU General Data Protection Regulation by the 25th May 2018.

Many of you have been in touch to ask us about our preparations, and so we have placed as many of your questions in this FAQ as we could answer. If you have other specific questions feel free to contact us on This email address is being protected from spambots. You need JavaScript enabled to view it.

FAQ Our Position

What is a school’s relationship with CEM under GDPR?

  • The school is joint Data Controller with CEM.

Please provide a summary of the activities undertaken to ensure CEM’s compliance with the EU GDPR

  • All staff have completed compulsory Information Governance and Data Protection training.
  • Regular awareness and advice sessions have been run within CEM for staff
  • All information flow documentation has been updated and risk assessments undertaken
  • Relevant policies and procedures have been updated to align with GDPR
  • End User Licence Agreements have been updated in line with GDPR
  • An updated Privacy Notice is available to customers on
  • Retention of personal data has been defined and is also available at the above link
  • Updated Data Protection Privacy Impact Assessments have been completed


What personal data do you process on our behalf?

Please see our Privacy Notice at to see what personal data we process for each of our assessment systems and entrance assessments.

What technical and organisational security measures do you have in place to ensure a level of security appropriate to the risk?

  • We do not currently anonymise personal data we hold as we believe our technical and organisational security measures are strong enough to mitigate the risk to data held on our servers. All staff laptops are encrypted.
  • Confidentiality – access to data on CEM’s network is restricted to CEM staff only. A username and password is required to access the network. The network is protected by firewalls at the University perimeter. Servers are high availability VMware servers, backed up every night.
  • Servers run as virtual servers, facilitating rapid restoration in the event of systems failure.
  • The CEM network undergoes an annual external Penetration Test by a reputable 3rd Party firm.

Do you engage sub-processors?

Only for some paper-based Entrance Assessments.

Do you have a new End User Licence Agreement containing specific GDPR clauses?

Our Assessment and Monitoring Systems EULA's can be found at

Is any data stored outside of the EU

No, all of our data centres are in the EU.

We use cookies to improve our website and your experience when using it. Cookies used for the essential operation of the site have already been set. To find out more about the cookies we use and how to delete them, see our Privacy Policy. By visiting this website you are accepting the Terms and conditions.

I accept cookies from this site


Read our Privacy Notice (opens in new window)


Read our Privacy Notice (opens in new window)


Please fill out the information below and we will get back to you.