GDPR guidelines

Note: This article is for informational purposes only and should not be used as a solitary resource about the GDPR and how it applies to your organization. ASI encourages that you work with legally qualified professionals to discuss GDPR and how to best implement compliance for your organization.

As of May 2018, organizations who process personal and sensitive data related to European Union (EU) citizens must be compliant with the General Data Protection Regulation (GDPR), no matter where the organization is located. The goal of the GDPR is to expand privacy rights granted to EU individuals, and how your organization achieves this goal is primarily reliant upon the steps you take.

Much of GDPR compliance relies upon policy-driven and procedural responses to its articles and directives. While ASI has invested a significant amount of time investigating and preparing for the GDPR, it is ultimately up to the individual organizations to make their own determinations of what it means to meet the policy-driven and procedural responses to the GDPR's articles.

This article outlines the following:

  • Sensitive information under the GDPR
  • Specific areas in iMIS that you can configure right now to be more GDPR compliant

    • Warning! This is not an exhaustive list. Each organization should review the GDPR to understand what they should do to comply with the regulation.

  • Additional resources about the GDPR

Article 9 of the GDPR states that sensitive information should not be collected in a way that the information may be linked with the related person. Under the GDPR, sensitive data translates to many things. The obvious items that are considered sensitive are name, address, and phone number.

The following are additional sensitive items under the GDPR:

  • Social Security Number
  • Spouse's name
  • Racial or ethnic origin
  • Religious or philosophical beliefs
  • Data concerning health of sex life and sexual orientation
  • Genetic data
  • Sales databases
  • Customer feedback forms
  • Biometric data
  • Loyalty scheme records
  • Financial information
  • Driver's license number
  • Child's name
  • Political opinions
  • Trade union membership
  • Online identifiers (such as email address or IP address)
  • Employee information
  • Customer services data
  • Location data
  • CCTV footage
  • Health data
  • And much more

If this information is collected in iMIS, organizations should be careful in how they use the information. For example, do not give this information to third-party companies or use the information for targeted advertising. Additionally, do not display this information in a public manner such as within a Report Display, Query Menu, or Panel Designer. It is encouraged that organizations check their user-defined tables and Panel Designer tables for information labeled as sensitive and make sure this information is not displayed in any public manner.

Organizations should, additionally, take extra care with securing contact records on their websites, as these do include personal data and are considered sensitive. Correctly configuring contact security queries can ensure that those who do not have the authority to view contact information will be unable to gain access. If a contact does not want their information to be included in the organization's directory, they can enable the Exclude directory option. This option is located on the Preferences tab of the account page. See Excluding contacts from a website's directory for more information.

iMIS RiSE does not track user activity or data, such as browsers, Windows versions, or previous websites viewed. iMIS only tracks what the user does on the iMIS website, such as cookies in the cart and in the Show a cookie warning message.

When an item is added to the cart, even anonymously, iMIS adds a cookie to keep track of the cart that was created. When a user signs in, the previously created cart is merged to the now-logged-in user's account. Additionally, when a user accepts the cookie warning (when the cookie warning is turned on), iMIS stores a cookie to remember that the user has accepted.

Third-party tools, such as Google Analytics, can be configured to work with iMIS to collect user activity or data, but the GDPR responsibility lies with the third-party company and not with ASI.

The following information outlines how to configure iMIS to be more compliant with the GDPR, but it is not an exhaustive list on how your organization meets GDPR requirements, nor should it explicitly dictate the breadth of your organization's compliance. ASI encourages working with legally qualified professionals to discuss GDPR and how to best implement compliance for your organization.

Sending a contact their personal data

A contact may request all personal information you have collected about them.

The easiest way to do this is to take screenshots of the contact's account page. You will need to take screenshots of each tab in the contact's account page. After all screenshots are taken, you can compile the images in a Word or PDF document and send the document to the contact.

Another way to accomplish this is to create an IQA query that contains all sources and related properties that are on the contact's account page, then export the query and send it to the contact.

There is no built-in iMIS query, because you can customization your account pages, resulting in user-specific fields that iMIS does not contain out-of-the-box; however, the following business objects are a great place to start when building out this type of query:

  • CsContact
  • CsRegistration
  • CsNameFin
  • CsOrders
  • CsSubscriptions
  • CsOrderLines
  • CsProduct
  • TransactionDetail
  • CsActivity
  • GiftHistorySummaryBasic
  • CsEvent
  • GiftsReceivedSummary

Erasure process

Organizations that collect personal data should provide a means of erasing personal data to their users, as stated in Article 17 of the GDPR – Right to erasure ('right to be forgotten'). This erasure process must be carried out without "undue delay". The following instances cover some of the reasons for erasing personal data:

  • The collection purpose is no longer in play
  • The user wants the information removed, and there are no legitimate reasons to continue storing their data
  • The data has been collected and processed without the user's consent

Please review Article 17 for additional information on reasons a user's personal data should be erased, and exceptions to the Right to be forgotten.

Deleting personal data

Use the Erase this contact button (System administrators only. Non-SysAdmin staff can request an erasure using the Request contact erasure button) found in the Edit window of the Contact Mini Profile. This will remove all personal data, but will keep the contact record in the iMIS database. Personal data, such as first name, last name, email address, physical mailing address, appears blank in the contact record. This allows organizations to still query on historical information, such as how many members you had in a specific year. Additionally, data entered in a dynamic panel is not removed with the erasure process. Staff must manually remove any personal data entered in a dynamic panel.

For more information on erasing a contact's personal data, see Erasing a contact's personal data.

Pseudonymisation and encryption of sensitive data

While staff have the ability to erase personal data, all data transported with iMIS is conducted over encrypted communication paths using the TLS 1.2 protocol with AES-256 level encryption. Data at rest within the iMIS database can be encrypted, as well as using Microsoft's SQL Server Transparent Data Encryption (TDE) facility. On-premise and traditional clients may apply TDE to their database at their discretion. Standard Cloud and Cloud-Plus clients may request this service of ASI Cloud Services for their databases.

Communications

Among the many requirements of the GDPR, consent is a significant principle. Article 7 of the GDPR outlines the Conditions for consent. Organizations must be able to show that consent has been given in the instances where personal data is being collected, and they must log this consent. For example, your organization must get consent for actions such as sending electronic mail, physical mail, or placing calls to an individual. Any request for consent must be easily identifiable, and, when said consent is given, should be retractable at any time. Please review Article 7 of the GDPR for any additional conditions of consent and in-depth information.

Consent to receive communications

Users must give consent to receiving communications to your organization prior to contact. Configure or update your default communication preferences in your iMIS system so that outgoing electronic communication is opt-in by default. Read the Managing communication preferences article for more information about how to set up communication preferences in iMIS.

Consent to use phone number and physical address for communications

Communication preferences for contact by way of physical mail or by phone can be configured using the Panel Editor to craft an interactive medium to collect consent. Ensure that the Log all changes option is enabled on the associated business objects so that logged changes will display in the Change History panel. See Panel Designer for more information.

Special consent for children

Article 8 of the GDPR is geared toward organizations that collect information from, or about, children younger than 16 years old. If your organization does not collect information from or about children who are younger than 16, feel free to skip over this section.

Organizations that collect information from or about children younger than 16 years old must get verifiable consent from parents or guardians. An exception to this is in the context of "preventive or counseling services offered directly to a child".

Your organization can use Panel Designer to create a panel to gain consent from the parent or guardian of the child.

Organization contact information

Article 13 of the GDPR – Information to be provided where personal data are collected from the data subject – states that where information is being collected from a user, such as on the create-an-account page, the organization should provide contact information for the organization.

The onus is also on the organization to provide information on the reason personal data is being collected, all recipients of this data (third-parties, and so forth), how long the data will be stored, if the data will be used for additional purposes, among other things. Please review Article 13 for the extent of these requirements, and additional requirements.

Make your organization's contact information visible

Add your organization's contact information to the contact profile pages and the footer of your website. See Creating RiSE-built website templates and Creating custom themes for information on modifying your site footer.

Make your organization's privacy notice easily accessible

Use your organization's Privacy Notice to disclose to site users how their data is being gathered, used, or shared. The Privacy Notice must not be hard to reach or be hidden in any manner. Make this document easily accessible to users by providing a link to it in your footer. This will ensure that regardless of where your user lands, the notice will be available.

Your organization's privacy notice can also be added to your site's cookie warning using a link to the document. The cookie warning can be configured on the Look and Feel tab of the Manage websites section of RiSE (RiSE > Site Builder).

Use the following links for additional information about the GDPR: