Data Privacy and Consent (GDPR Compliance)

Contents
What is the GDPR?
How does the GDPR relate to the data recorded in my NeonCRM?
Is my organization required to comply with the GDPR?
How NeonCRM can help you comply
Enabling consent fields
Privacy statement
Consent fields and privacy statement on your online forms
Managing consent fields as a system user
Importing consent information
Viewing and reporting on consent information
What happens if I disable consent fields?
Related Guides

What is the GDPR?

The General Data Protection Regulation (GDPR) is an EU regulation designed to standardize the protection of personal data collected or processed from data subjects (identified or identifiable natural persons) residing in the European Union. The Regulation takes effect on May 25, 2018.

The entire Regulation including all of its articles and recitals can be read here.

How does the GDPR relate to the data recorded in my NeonCRM?

According to Article 5 ("Principles relating to processing of personal data") of the GDPR:

Personal data shall be... processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency');

According to Article 4 ("Definitions") of the GDPR:

'Processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Is my organization required to comply with the GDPR?

The GDPR applies to any organization that processes or holds the personal data of subjects residing in the European Union, whether or not the organization itself is located in the EU.

How NeonCRM can help you comply

Article 6 of the Regulation defines what constitutes "lawful" processing of personal data. Item 1(a) from the article states:

1) Processing shall be lawful only if and to the extent that at least one of the following applies:

a. The data subject has given consent to the processing of his or her personal data for one or more specific purposes;

Recital 32 of the Regulation states the following about consent:

  • Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.
  • This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data.
  • Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
  • Consent should cover all processing activities carried out for the same purpose or purposes.
  • When the processing has multiple purposes, consent should be given for all of them.
  • If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

NeonCRM provides standard consent fields that can appear on all online forms to collect and store this information.

Enabling consent fields

To enable the standard consent fields, go to System Settings > System Settings Home > Forms & Web Pages and click Data Privacy & Consent.

zd_gdpr_data_consent_settings.jpg

You will see a list of 5 available fields to enable. These fields will record separate consent statuses for each of the 5 following potential uses of your constituents' personal data:

  • Email communications
  • Phone communications
  • Mail communications
  • SMS communications
  • Data sharing (the sharing of personal data with a 3rd party)

By default, these fields are disabled. You may enable only those that pertain to the type of use you intend to make of your constituents' data.

Enabling a consent field will automatically place a checkbox requesting that consent on all online forms that collect personal data. Each consent field comes with default text like that shown below. You can edit this text to display your own preferred wording.

zd_gdpr_enable_consent.jpg

Click the green Save button to save any changes you make. Restore Default Text will restore the display text of all consent fields to the default.

Privacy Statement

On the same page, you can enable a Privacy Statement to appear on your online forms in the same section as the consent fields. You can display your entire privacy statement on the form, or link to a page where the statement can be read separately.

zd_gdpr_enable_privacy_statement.jpg

There is no default text for the privacy statement.

Consent fields on your online forms

Once enabled, your consent fields and/or privacy statement will appear on all online forms that collect personal data:

zd_gdpr_consent_fields_on_forms.jpg

Existing constituents who already have accounts in your database will be able to update their consent information at any time from the Update My Profile page of the Constituent Login Portal:

zd_gdpr_constituent_update_consent.jpg

According to Recital 42 of the Regulation, informed consent requires that

the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.

The "controller" is NeonCRM. The words "Powered by NeonCRM" appear by default at the bottom of your forms, with a link to our company website:

zd_gdpr_controller_info.jpg

However, you may choose to be more explicit in displaying controller information on your forms. You can do this by adding header or footer content to any section of your forms using the Configure Fields & Sections utility.

You can use the same utility to provide the required details regarding the purposes of the processing for which the personal data are intended. You may include this information on the form itself, or link to a separate page.

Please refer to Article 13 of the Regulation ("Information to be provided where personal data are collected from the data subject") for complete details and a description of the requirements.

Managing consent fields as a system user

Any consent fields you enable will become available on your account Create and Edit pages, with a default value of Consent Not Asked:

zd_gdpr_consent_fields_on_data_entry.jpg

If you know an account's consent status for any of these fields, you can change the status to Consent Given or Consent Declined as appropriate.

zd_gdpr_consent_field_values.jpg

Note: Changing a status to "Consent Declined" does not affect the standard Email Opt Out or Do Not Contact fields on the account record. Those fields are managed separately.

The current Data Privacy & Consent status of each account will now display in the Basic Information section.

zd_gdpr_consent_fields_on_account_page.jpg

Importing consent information

You can also add Consent Status information to accounts through the Import Manager.

Each consent status field is available for mapping in the Account Import process when importing new accounts. You can also update the consent status of existing accounts through the Account Batch Update process.

Viewing and reporting on consent information

You can view the history of any account's consent status from that account's detail page. First, use the "Page Settings" feature to configure your personal account view so that it includes the "Data Privacy & Consent Log" section:

zd_gdpr_add_consent_log.jpg

This section will show a full log of all changes made to each account's consent status, including which status was changed, when it was changed, and how the change was made (by the constituent, by a staff member, by the import manager, etc.)

zd_gdpr_consent_log.jpg

Several reports will also allow you to search by consent status and/or to view the consent status of accounts in the report results. These reports include:

  • Mailing Report
  • All Accounts Report
  • Email Audience Report
  • Stats Report

zd_gdpr_consent_fields_report_criteria.jpg

zd_gdpr_consent_fields_output_columns.jpg

What happens if I disable consent fields?

If you enable any consent fields and then disable them, the fields will disappear from your online forms and your account pages, but the consent data itself will remain in your system. If you ever re-enable those fields in future, the data will be restored.

You will still be able to report on existing consent data, even if the consent fields themselves are disabled.


Related Guides

Back to top ^

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk