Alumni Management & GDPR Complianceby Community Admin in Release Updates | Last Edited: 04th September 2017
For EnterpriseAlumni customers, compliance is provided as a service within the solution, ensuring that at all times the services offered meet all global compliance and inclusion requirements. Our compliance center is up to data with all cookie, accessibility and now GDPR requirements.
What is GDPR?
On May 25, 2018, the EU General Data Protection Regulation (GDPR) will come into effect. In a sentence:
“GDPR aims to protect the privacy of EU citizens, specifically their “right to be forgotten” – aka, their right to demand that organizations identify and eradicate any and all data about them”
Why does it affect your Alumni population?
Whilst GDPR only protects EU citizens, it applies to all companies with a global footprint, independant of whether they have a physical presence in the EU.
GDPR compliance is required if a website is operated that uses technologies such as cookies to monitor people based in the EU or collects any data that may include information about EU citizens.
As such, your Alumni portal must be GDPR compliant as you might have registrations from EU citizens, the policy also being applicable to EU employees.
Some examples of new GDPR requirements
Within the many new requirements, there are three that form the foundation of our design and deliver requirements: Consent, Right To Access and Right to be Forgotten:
The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of formal, incomprehensible language. The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
Right to Access
Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.
Right to be Forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in Article 17, includes the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.
What is GDPR compliance?
GDPR compliance for EnterpriseAlumni is currently being rolled out in beta to provide sufficient time for enhancements, procedural requirements and communication requirements.
We are currently finalizing our escalation procedures as it relates to Breach Notifications which is described as:
Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
Our next EnterpriseAlumni release will include:
(1) an updated consent program to ensure it is clear to end users what data is being requested, what it is being used for and when it is accessed.
(2) an updated portal for Alumni members to quickly view and download all data we currently hold the user as well as the associated processing framework (what we do with the data).
(3) a process to enable a user to “be forgotten” which in addition to the archiving and deletion concepts associated with a user will include the communications to the end user confirming what steps have been taken until completion.
GDPR Website: https://www.eugdpr.org/key-changes.html