CiviCRM and GDPR

In addition to implementing a more rigorous subscription process (opt-in) there are more elements to consider before determining if you can send communications to the contacts in your database. For example, an organization that has members may possibly assume that it has a “legitimate interest” to send communications to such members, unless they express their intention to stop receiving such communications (opt-out).

In this case, the organization must register the contacts that have chosen not to receive communications or the distribution lists of those that have unsubscribed. It must also be shown that the interest is real, that is, the contacts open the emails or click on the links they contain. If you send a newsletter by email, and a contact does not open or click on any of the links included, over a long period of time, it will be difficult to argue that the organization has a legitimate interest to continue sending emails to that contact.

For all other mailings, following the guidelines of the GDPR, organizations must be able to prove that their contacts have given their consent to receive communications. It must be proved who has given that consent, when it has been given it, how, for what type of communications exactly and through what channels it has done so (email, telephone, postal mail, etc.).


What does the GDPR extension do?

The extension for CiviCRM, GDPR, allows to carry out the following activities and processes:

  • Register who is the Data Protection Delegate (DPD) of the organization
  • Add a “GDPR” tab to the contact’s record that will show a summary of the information
  • Date on which the contact accepted the data protection policy
  • Date on which the contact updated the communication preferences
  • Subscription lists to which the contact belongs and the date in which it was registered
  • Generate contact lists that have not had any activity in a certain period in order to track the legitimate interest of the organization
  • It allows to force the acceptance of the terms and conditions / privacy policy when a user accesses the system (only for Drupal)
  • It offers option of the ¨right to be forgotten¨: if a contact in the database requests that all its data be deleted, the extension incorporates a functionality that allows “anonymizing” that contact, deleting its personal data (name, email, etc.) but maintaining the record of transactions (contributions, event fees…).
  • Create a public page of communication preferences that can be sent to contacts so that, within the same screen:
    • Update your personal data (the user can choose which fields are shown)
    • Update by what channels you can contact them (email, phone, postal mail, SMS)
    • Register or unsubscribe from any distribution list of the organization, with a detailed explanation of the purpose of each list, the frequency of delivery and the channels used
    • Download the data privacy policy and accept it
  • The extension will keep a record of these actions for auditable purposes in the GDPR tab
  • It allows to “force” the acceptance of terms and conditions of service when a contact registers in an Event or makes an online Contribution, through the enabled pages

Each organization is responsible for updating its Data Privacy Policy and for taking the necessary measures to comply with the new GDPR. The GDPR extension for CiviCRM is a valuable tool for organizations to manage their contacts according to the GDPR but installing this extension does not mean that the organization automatically goes to comply with the regulations!

How iXiam can help you install the extension:

From Ixiam we offer the support for the installation and configuration of the extension among other related services:

  1. We install the extension of GDPR in your environment (available in English, Spanish and Catalan)
  2. We configure the extension and we do a small tutorial to explain its us
  3. We design an email template, with your logos and formats, so that you can communicate correctly, to the contacts of your database, the changes in your privacy policy
4. Sample newsletter for GDPR

5. We adapt the page of communication preferences so that users can manage their data

Communication preferences page
Written by Carolina Bardisa, CiviCRM and Fundraising consultant

As described in the GDPR and the Third Sector blog post, the new General Data Protection Regulation is effective since May 25th.

The RGPD itself does not present many new requirements but introduces a series of new obligations for organizations that store and use data about individuals.

CiviCRM has an extension, developed by VEDA Consulting, which aims to allow organizations in the Third Sector to manage their contacts in compliance with the GDPR.

Insights and our Work

Schedule a discovery call today!

Scroll to Top