Per GDPR requirements, your institution’s constituents to whom GDPR is applicable have the right to request what data we track on them. As such, we have implemented a process to fulfill these inquiries, based on the type of request.
The Right of Access/The Right to be Informed:
To make a data request on behalf of your constituent, simply contact Encompass Application Support team by emailing applicationsupport@imodules.com and provide the following:
- An email subject title of “GDPR Data Request”
- Applicable Member ID(s) for those constituents who are making this request. A given constituent may have more than one Member ID based on non-member records so please be sure to include any and all applicable Member IDs in your request for this data.
Upon receipt of this request, Encompass will provide XML files with all data that is captured for the provided Member ID(s). Initial SLA for completion of the data request will be 10 business days.
Right To Be Forgotten:
In addition to requesting data, a given constituent can also request that this data be deleted. In order to fulfill such a request, the following process will still be followed indicating a deletion rather than a simple request for the data.
To make a data request on behalf of your constituent, simply contact Encompass Application Support team by emailing applicationsupport@imodules.com and provide the following:
- An email subject title of “GDPR Data Deletion”
- Applicable Member ID(s) for those constituents who are making this request to have their data deleted. A given constituent may have more than one Member ID based on non-member records so please be sure to include any and all applicable Member IDs in your request for this data.
As it pertains to data deletion specifically, please be aware of things including:
- The constituents marked as deleted for GDPR in your live data will not affect any existing Encompass backups.
- Data backups are purged every 6 months should you ever need a restore at any point.
- In the event that a data restore is needed, Encompass will make reasonable efforts to verify that any records previously marked as deleted for GDPR will be re-applied, however, your institution should verify this flag is applied correctly for all constituents that have exercised their right to be forgotten.
Additionally, when a record has been deleted for GDPR, you will want to ensure that any imports of data that occur do not contain this same information as it will create a new record. Due diligence will need to occur to ensure those records are not recreated.