The General Data Protection Regulation (GDPR) is an EU regulation designed to standardize the protection of personal data collected or processed from data subjects (identified or identifiable natural persons) residing in the European Union. The Regulation takes effect on May 25, 2018.
According to Article 5 ("Principles relating to processing of personal data") of the GDPR:
According to Article 4 ("Definitions") of the GDPR:
The GDPR applies to any organization that processes or holds the personal data of subjects residing in the European Union, whether or not the organization itself is located in the EU.
Article 6 of the Regulation defines what constitutes "lawful" processing of personal data. Item 1(a) from the article states:
1) Processing shall be lawful only if and to the extent that at least one of the following applies:
a. The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
Recital 32 of the Regulation states the following about consent:
- Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.
- This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data.
- Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
- Consent should cover all processing activities carried out for the same purpose or purposes.
- When the processing has multiple purposes, consent should be given for all of them.
- If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
NeonCRM provides standard consent fields that can appear on all online forms to collect and store this information.
To enable the standard consent fields, go to System Settings > System Settings Home > Forms & Web Pages and click Data Privacy & Consent.
You will see a list of 5 available fields to enable. These fields will record separate consent statuses for each of the 5 following potential uses of your constituents' personal data:
- Email communications
- Phone communications
- Mail communications
- SMS communications
- Data sharing (the sharing of personal data with a 3rd party)
By default, these fields are disabled. You may enable only those that pertain to the type of use you intend to make of your constituents' data.
Enabling a consent field will automatically place a checkbox requesting that consent on all online forms that collect personal data. Each consent field comes with default text like that shown below. You can edit this text to display your own preferred wording.
Click the green Save button to save any changes you make. Restore Default Text will restore the display text of all consent fields to the default.
On the same page, you can enable a Privacy Statement to appear on your online forms in the same section as the consent fields. You can display your entire privacy statement on the form, or link to a page where the statement can be read separately.
Once enabled, your consent fields and/or privacy statement will appear on all online forms that collect personal data:
Existing constituents who already have accounts in your database will be able to update their consent information at any time from the Update My Profile page of the Constituent Login Portal:
The "controller" is NeonCRM. The words "Powered by NeonCRM" appear by default at the bottom of your forms, with a link to our company website:
However, you may choose to be more explicit in displaying controller information on your forms. You can do this by adding header or footer content to any section of your forms using the Configure Fields & Sections utility.
You can use the same utility to provide the required details regarding the purposes of the processing for which the personal data are intended. You may include this information on the form itself, or link to a separate page.
Any consent fields you enable will become available on your account Create and Edit pages, with a default value of Consent Not Asked:
If you know an account's consent status for any of these fields, you can change the status to Consent Given or Consent Declined as appropriate.
The current Data Privacy & Consent status of each account will now display in the Basic Information section.
You can also add Consent Status information to accounts through the Import Manager.
Each consent status field is available for mapping in the Account Import process when importing new accounts. You can also update the consent status of existing accounts through the Account Batch Update process.
You can view the history of any account's consent status from that account's detail page. First, use the "Page Settings" feature to configure your personal account view so that it includes the "Data Privacy & Consent Log" section:
This section will show a full log of all changes made to each account's consent status, including which status was changed, when it was changed, and how the change was made (by the constituent, by a staff member, by the import manager, etc.)
Several reports will also allow you to search by consent status and/or to view the consent status of accounts in the report results. These reports include:
- Mailing Report
- All Accounts Report
- Email Audience Report
- Stats Report
If you enable any consent fields and then disable them, the fields will disappear from your online forms and your account pages, but the consent data itself will remain in your system. If you ever re-enable those fields in future, the data will be restored.
You will still be able to report on existing consent data, even if the consent fields themselves are disabled.