On May 25, 2018 the European Union’s General Data Protection Regulation (GDPR) will go into effect. The EU enacted the GDPR to give its citizens more control over their data and require certain security and transparency measures from the businesses and organizations that keep that data. The GDPR regulates any entity that controls or processes the personal data of any EU citizen—which affects not only Populi but also many of our customers. Here is a guide to how we are preparing for GDPR and the tools we’re building to help our customers who are affected by the new regulations.

Legal language

As contemplated by the GDPR, Populi, as a data processor, provides the tools and services our customers—who are data controllers—may use to collect, store, and maintain personal data about EU citizens (data subjects in GDPR parlance). In light of this, we’re reviewing our public legal documents and will be updating the appropriate sections of each policy. We’re also reviewing our internal Security Policy regarding data deletion, customer data backups, and our own security precautions.

Software

By May 25, 2018, we plan to have released the following Populi updates. These new features will give our customers the tools to comply with the data protection, transparency, and portability requirements of the GDPR for data subjects stored in Populi.

• We’ll be adding a way to track your “lawful basis” for keeping data about a citizen of the EU, including a report to let you identify people in your system for whom you may need to establish that lawful basis.
• We’re building a data portability tool that will allow citizens of the EU export data kept about them in Populi.
• We’re updating our customer data retention procedures to keep in line the GDPR’s requirements for permanent data deletion.

Services we use

The GDPR will not just affect the relationship between Populi and our customers. We ourselves do business with several companies to provide Populi to you. For example, we use Zendesk to provide crucial aspects of our customer support. Our internal review process will cover our own responsibilities in light of these relationships—we will examine our vendors’ own updates to make sure they avail us of the processes and tools we will need.

Your own review

Between these tools and our own internal changes, we’ll be doing our part to prepare for the GDPR. If your school maintains data on any EU citizens (whether in Populi or another system), you may also benefit from your own internal review.

Updates are coming

As we release updates to our software and legal documents, we’ll make sure to inform you via Populi’s system notices, our weekly Release Notes, and other appropriate media.