Data Subject Removal requests

Introduction:

This document outlines the process for handling Data Subject Removal (DSR) requests from CIS in compliance with the General Data Protection Regulation (GDPR). It provides step-by-step instructions for CIS Support and includes details on dealing with external third-party references.

The intended audience for this document are the CIS Support team and internal contacts involved in handling DSR requests.

Quick Overview of Steps:

Update Contact Status, Department, and Ownership
Update Contact Consent
Anonymise Contact Addresses
Cancel Gift Aid Declarations
Resolve external references and communicate with the relevant parties

Detailed Process:

0.5 Check if there are legacies pending

The Legacy team need access to a record to confirm if a will has been fulfilled after an individual has passed. First check the external references to see if there is a link to First Class.

If there is a link to First Class, please contact Kelly Marie Braund on kellymarie.braund@diabetes.org.uk to confirm if the legacy has been fulfilled. You may need to restrict access to the record till the legacy has been fulfilled.

If there is no link, carry on as usual.

1.0 Update Contact Information

1.1 Contact Status:

Set the contact's status to ITDQ (IT Data Quality) and update the status reason to include the iService ticket URL for tracking purposes.

Note:

- If the contact's status is DE (deceased), leave the status as is and do not update it.

- If the contact's status is REF (referral), report back to Information Governance and Fundraising Compliance for further advice on the request.

- If the contact's status is ITMM (IT mismerged) , report back to Information Governance and Safeguarding for further advice.

1.2 Contact Department:

Update the department to GDPR.

Note:

If the department field is SAF (safeguarding), leave the status as is and do not update it. Report back to Information Governance and Safeguarding for further advice.

1.3 Contact Ownership:

Set the ownership group to GDPR.

Note:

- If the ownership group field is SAF, leave the status as is and do not update it. Report back to Information Governance and Safeguarding for further advice

- [TODO] After the ownership group has been set to GDPR you will need appropriate permissions to access the contact record in order to complete the remaining steps.

2.0 Update Consent

Marketing consent is to be removed for all channels and prevent selection for any new unsolicited marketing.

2.1 Update Consent Preferences:

Use the New Telephone Call function as found on the CIS Toolbar.

CIS toolbar - New Telephone Call

A new window will open:

Complete the following fields:

- Set the Precis to the iService ticket URL

- Set the Source code to 0XSZAXX00

- Set the Topic Group to SPER

Click Save and then Close.

3.0 Anonymise Contact Addresses

3.1 Create a new Unknown address record:

For the contact, create a new address record as follows:

- Set address line 1 to Unknown Address, and set Town to UNKNOWN

- Leave all other address fields blank

- Set the unknown address as the DEFAULT

- Under Address Usages, set to Mailing Communications

4.0 Check for Gift Aid Declarations

To prevent future Gift Aid claims for the contact, active Gift Aid declarations will need to be cancelled.

4.1 Cancel active Gift Aid Declarations

Cancel active Gift Aid declarations if found as follows:

- Set the Cancellation reason to ITDQ

- Set the Source code to 0XSZAXX00

Inform the appropriate manager in business support. WHO?

5.0 Resolve External References

Check for references in order to contact third parties that may hold our contact's information on their system.

5.1 Check for External References held on CIS

A SQL script can be used to pull all references held for a given contact in CIS. This script will return a list of the references related to external third-party systems.

For each reference found, check against the list of internal DUK contacts below, who will handle the deletion requests with the respective third parties.

Third-party DUK contact

Role

Email address Dot Digital David Smith
Technical Architect david.smith@diabetes.org.uk
Mosaic Niall Durdin
Fundraising Supplier Manager niall.durdin@diabetes.org.uk
Manifesto Patrick Murtagh
Digital Programme Manager patrick.murtagh@diabetes.org.uk
Shopify Shirley Quinn Senior eCommerce and Trading Manager shirley.quinn@diabetes.org.uk
Sterling Grace Akintokun Senior Supporter Development Manager grace.akintokun@diabetes.org.uk
Active Network Jess D'Arcy
Senior Events Manager - Mass Participation jess.d'arcy@diabetes.org.uk
EverGiving
Tendai Horton Direct Marketing / Acquisition tendai.horton@diabetes.org.uk

Third-Party references and DUK contacts: Last updated 2023-10-10

5.2 Send request(s) to DUK internal contacts to issue deletion request to third-party:

For each third-party reference found in the SQL list, send a canned response via the service desk ticket to the respective internal contact as per the table above.

I have followed the standard process we were given by the vendor and the method developed by the Information Systems Management Team.

Where status is null set to = 'ITDQ'

Ownership Group = GDPR
Department = GDPR
I have removed all consent, to all channels.
I have added a new postal address = "UNKNOWN"
I have made the as-is address historic.

I have set valid to on all communications devices
I have checked external references and emails. Other systems that need updating:

Delete email address from Bronto, digital will need informing.

[TODO] Add steps on using the DSR reference canned response

Add information on how DUK contacts update the ticket and monitoring.

Chasing DUK contacts for updates

Ticket status cycle - i.e. At Resolved and only Closed when all references complete

7.0 Appendices

7.0 Document Properties

Property Value Version
1.3 Last updated 2024-11-10 Author Michael Geelan Last Updated By Veda Vakili
Reviewers
Approval date