How is Encompass preparing for GDPR?
At Encompass we understand the importance of personal data and have taken steps to protect and secure this information within the infrastructure of the Encompass platform. While it is our clients that have specific legal obligations under the GDPR, Encompass places the utmost importance on data protection and is committed to helping our clients comply with this new regulatory law.
What should you do to be GDPR ready?
1. Identify an individual controller or data privacy taskforce to determine how your institution is going to comply with the GDPR.
2. Understand and analyze how your constituents’ data is being processed, stored, retained and deleted; and not just at your location, but any third-party vendor with whom you share this data.
3. Determine how your institution is going to respond to individuals when they exercise their rights for data access, requests, erasures, etc.
4. Create an employee awareness plan to ensure everyone understands how to be GDPR-compliant.
5. Develop a data breach notification process.
What happens if we don’t comply?
Since the GDPR does not have boundaries, it does not matter where your organization is headquartered, and compliance is required for any organization or institution that processes the personal data of residents of the EU. That means any study abroad student who has returned to the EU, any alumni who has relocated to the EU, any supporter located in the EU, and essentially anyone in your database with an address in the EU is covered by this new law. Non-compliance comes with a hefty price tag and the organization is subject to fines of 4% of annual global turnover or €20 million.
How is GDPR different than the Data Protection Act?
While the GDPR builds upon and ultimately replaces the Data Protection Act of 1990’s, there are notable enhancements to keep up with the latest technological developments over the past two decades. A few key highlights are noted below, but organizations should read the complete General Data Protection Regulation to fully understand the differences.
- Right to Erasure – An individual will have the right to be forgotten, which means an individual can request all data with their information be permanently deleted. In high education, this has implications of the individual’s transcript/academic records.
- Right to Access – An individual has the right to request the details of what personal information is being stored about them at any point in time.
- Data Portability – The organization must be able to provide individuals with a copy of their personal data in machine readable format upon request.
- Express Explicit Consent – You are required to inform individuals how their personal information will be processed and provide them with an easy way to withdraw consent.
- Breach Notification – A breach must be reported within 72 hours of becoming aware of the breach to the regulation authorities, and when applicable, the respective individual who has been compromised.
- Privacy Impact Assessments – Organizations are required to conduct Privacy Impact Assessments (PIAs) to identify and minimize privacy risks.
What is the difference between a Data Processor and Data Controller?
Within our business, the data controller is the party who determines the purposes and means of the processing of personal data; which in this case is the client (institution/foundation/alumni association). Any time data is collected, be it through a giving form, event registration, directory update, etc. the controller is the individual making the data request. The processor in this scenario is Encompass. While the controller is the vehicle for requesting said data, the processor processes the personal data on behalf of the controller. Personal data can include but is not limited to, an individual’s name, contact information, email address, date of birth, and IP address.
Recommended Practices in the use of Encompass with EU-residents
Encompass will publish recommendations for using Encompass to be in compliance with GDPR regulations. These recommendations should be incorporated into your processes and controls in the use of Encompass. Details on these recommendations will be posted within the GDPR section of the Support Center starting in mid-February.
I have a question that is not answered here. Can you help?
Please feel free to submit additional questions about the GDPR to our team using this link and we will do our best to respond in a timely fashion. Please remember that questions specific to your institution should be addressed directly to your internal Data Protection Officer and/or legal team.