In addition to implementing a more rigorous subscription process (opt-in) there are more elements to consider before determining if you can send communications to the contacts in your database. For example, an organization that has members may possibly assume that it has a “legitimate interest” to send communications to such members, unless they express their intention to stop receiving such communications (opt-out).
In this case, the organization must register the contacts that have chosen not to receive communications or the distribution lists of those that have unsubscribed. It must also be shown that the interest is real, that is, the contacts open the emails or click on the links they contain. If you send a newsletter by email, and a contact does not open or click on any of the links included, over a long period of time, it will be difficult to argue that the organization has a legitimate interest to continue sending emails to that contact.
For all other mailings, following the guidelines of the GDPR, organizations must be able to prove that their contacts have given their consent to receive communications. It must be proved who has given that consent, when it has been given it, how, for what type of communications exactly and through what channels it has done so (email, telephone, postal mail, etc.).
What does the GDPR extension do?
The extension for CiviCRM, GDPR, allows to carry out the following activities and processes:
- Register who is the Data Protection Delegate (DPD) of the organization
- Add a “GDPR” tab to the contact’s record that will show a summary of the information
- Date on which the contact accepted the data protection policy
- Date on which the contact updated the communication preferences
- Subscription lists to which the contact belongs and the date in which it was registered
- Generate contact lists that have not had any activity in a certain period in order to track the legitimate interest of the organization
- It offers option of the ¨right to be forgotten¨: if a contact in the database requests that all its data be deleted, the extension incorporates a functionality that allows “anonymizing” that contact, deleting its personal data (name, email, etc.) but maintaining the record of transactions (contributions, event fees…).
- Create a public page of communication preferences that can be sent to contacts so that, within the same screen:
- Update your personal data (the user can choose which fields are shown)
- Update by what channels you can contact them (email, phone, postal mail, SMS)
- Register or unsubscribe from any distribution list of the organization, with a detailed explanation of the purpose of each list, the frequency of delivery and the channels used
- The extension will keep a record of these actions for auditable purposes in the GDPR tab
- It allows to “force” the acceptance of terms and conditions of service when a contact registers in an Event or makes an online Contribution, through the enabled pages
How iXiam can help you install the extension:
From Ixiam we offer the support for the installation and configuration of the extension among other related services:
- We install the extension of GDPR in your environment (available in English, Spanish and Catalan)
- We configure the extension and we do a small tutorial to explain its us
5. We adapt the page of communication preferences so that users can manage their data
As described in the GDPR and the Third Sector blog post, the new General Data Protection Regulation is effective since May 25th.
The RGPD itself does not present many new requirements but introduces a series of new obligations for organizations that store and use data about individuals.
CiviCRM has an extension, developed by VEDA Consulting, which aims to allow organizations in the Third Sector to manage their contacts in compliance with the GDPR.