While the iModules team works to provide you with the latest General Data Protection Regulation (GDPR) updates for Encompass, we wanted to share some additional talking points for your institution to consider as you map out your internal GDPR strategy.
1. Identify and Segregate your Institution’s GDPR Records
You will need to be able to identify your constituents who are covered under the GDPR and assess the impact to your organization and your communications processes.
2. Managing Opt-In Communications
Starting on May 25, 2018, those constituents covered by the GDPR will need to have provided you with explicit consent for future communications, meaning they will need to have opted-in to receive your messaging prior to this date. It’s important to start thinking about how you will want to manage the process to allow constituents to opt-in to these emails, and communicate this process to them before the official implementation of the GDPR legislature. For those currently opted-in for your communications, you must provide them with an easy way to withdraw consent.
3. Data Protection Officer Identification
A designated Data Protection Officer (DPO) must be assigned, in addition to a back-up resource. The DPO will serve as the official point of contact for GDPR compliance and associated activities. iModules and other data processors will need to connect with these individuals for ongoing communications and share of resources including our GDPR Community Forum for real-time updates we provide about the GDPR.
4. Managing Data Requests
Any constituent protected by the GDPR will have the ability to request their data at any point in time. iModules will provide you with the tools and processes to support your need to pull individual constituent data points out of Encompass for these requests to be aggregated with your source of record.
5. Managing Data Deletion Requests
Any constituent protected by the GDPR can exercise their right to be forgotten at any point in time. Deleting information that includes things such as degrees earned, courses taken, giving history, etc., is not likely the intent of these requests, so defining how the database of records handles these requests and the flow to/from the respective supporting systems (data processors) will be an important outcome of establishing GDPR processes.
As a reminder, this new privacy law will goes into effect in the European Union on May 25, 2018 and aims to protect the personal information (data) of EU-based residents. Any organization that works with an EU residents’ personal information has new standards they must adhere to, or risk penalty.
We will continue to share frequent updates with your team. In the meantime, please feel free to submit your GDPR-related questions, explore the GDPR FAQs, and engage in the GDPR forum. We’re here to help!