On May 25, 2018, the European Union put into effect the General Data Protection Regulations (GDPR). The EU enacted the GDPR to give its citizens more control over their data and require certain security and transparency measures from the businesses and organizations that keep that data. The GDPR regulates any entity that controls or processes the personal data of any EU citizen—which affects not only Populi but also many of our customers.
This article describes the tools Populi makes available to your school to help you comply with the GDPR.
Lawful basis for processing
The GDPR requires that you have a lawful basis for processing data about a particular EU citizen. Populi includes two tools to help you keep track of lawful basis.
Contacts > GDPR
The GDPR report in Contacts helps identify people who may be EU citizens but for whom a lawful basis for data processing has not been recorded. It lists people who have EU citizenship, whose primary address is in an EU country, or whose home country is in the EU.
If a person is on this report, it does not necessarily mean you need to start tracking lawful basis for him. The report simply brings people who may be EU citizens to your attention.
To find this report, go to Contacts > People and select GDPR from the Show drop-down.
Profile > Info
On Profile > Info, you can track lawful basis for a person under Other Info. If the person is already listed as a citizen of an EU nation, Populi may already be tracking lawful basis according to the items shown under step 3, below. Here's how to start tracking lawful basis and manually-add a data processing basis for an EU citizen.
- If the person is a citizen of an EU member nation, add or edit his Citizenship field.
- After saving, you'll see a new Data Processing Basis field.
- Populi will automatically track lawful basis when the person participates in any of the following:
- Admissions inquiries or applications
- Making a donation
- Transcript requests
- Making a bookstore purchase
- Getting the student, staff, or faculty user roles
- Getting a user account
- If none of those events have occured, you can also manually track lawful basis. Click and select Add data processing basis.
- Select the data processing basis from the drop-down. You can also enter an optional comment.
- Click Save when you're done.
After adding the data processing basis, you'll have these options:
- Click to view the data processing log. A manually-added basis will display as with the name of the user who added it. An automatically-tracked basis (see step 3, above) will display as added by System.
- Click to remove a manually-added basis.
- If you manually-added Consent, you'll have the option to Revoke Consent. Revoking consent will appear in the log.
Data portability
The GDPR requires that you provide a way for a "data subject" (EU bureaucratese for human being) to retrieve a copy of all of the data you are storing about him. Your school's Populi Account Administrator can send a data archive for any person in the system. Active users can also download their own personal data archives.
Sending a data archive for another person
To send a person his data archive:
- Go to the person's profile.
- In the upper right corner of the profile next to his user information, click .
- Select Send Personal Data Archive.
- Choose an email address to which you'll send the archive.
- When you're ready, click Send Data Archive.
It can take several minutes to compile the archive. Once it's compiled, Populi will email it to the address you selected.
Exporting your own data archive
Anyone with an active user account can export their own personal data archive.
- Click your name in the upper right corner of the screen and select Settings.
- Click the Security view.
- Under Personal Data Archive, provide the email address to which you'd like to send the archive.
- Click Send Data Archive to finish.
It can take several minutes to compile the archive. Once it's compiled, Populi will email it to the address you selected.
Data backups and GDPR
Populi keeps regular, automatic backups of your school's data. Such backups are securely stored in a separate location and are meant to restore your data in case of emergency; secondarily, they provide historical data “snapshots” for various uses. We can view a snapshot of your data as it was at any particular minute in the last 30 days, and after that daily snapshots are taken out to 180 days. Each backup is a complete copy of everything in your Populi database.
When you delete your data—whether because it was deleted for normal reasons (errors and mistakes, etc.), someone requested you to do so under GDPR, or your school canceled its account with Populi—here is how that deleted data is handled in our regular backups:
- That data is marked as deleted in our databases and is no longer accessible via your school's Populi site. However, it is retrievable by us for various uses in providing you with Populi. We call this "soft-deleting".
- If the deleted data is attached to academic or financial information, GDPR permits Populi to retain it in perpetuity for various purposes (a subpoena, for example). Such data remains "soft-deleted" and is not purged (see below).
- 26 weeks after it is marked deleted, it is fully purged from our active database. It is now "hard-deleted".
- However, one day before that, the deleted data is included in the regular backup. It is therefore included in that secure, offsite backup in its "soft-deleted" form. It is still retrievable by us, but it would take a lot of work to do so.
- After another 26 weeks, the backup is purged and that deleted data is, as they say, all gone.
0 Comments