What is GDPR?
The General Data Protection Regulation (GDPR) is a relatively recent European Union regulation aimed at increasing the protections allotted to EU citizens - mainly, protections surrounding their personal data. While this regulation specifically mentions EU citizens and businesses, GDPR applies to the processing of personal data of EU citizens in the EU or anyone in the EU, regardless of whether the processing takes place in the EU or not.
When does the law go into effect?
GDPR was fully implemented on May 25, 2018.
What is considered Personal Data?
Personal Data is any information relating to an identified or identifiable data subject. Names, ID numbers, IP addresses, and physical, mental, and cultural/social details about a person are all examples of Personal Data.
Who is responsible for protecting Personal Data?
In short, the “Processors” and “Controllers” manage the information of the data subjects. Depending on the activity, you may be both the Controller and Processor.
When using Zengine, applicants, reviewers, and anyone else’s data that is being stored within the system are the data subjects.
You, the administrator, are the controllers of that data. WizeHive is the processor of the data.
WizeHive & GDPR: How to use Zengine in a GDPR-compliant way
WizeHive is committed to being fully GDPR compliant. Below are the requirements that you’ll likely need to meet when managing data within Zengine in a GDPR-compliant manner as a data controller.
Lawful Basis of Processing
Under GDPR you need to have a legal reason to store or use data about any person. As the controller, your reasons can include:
- Consent with notice: they opt-in after being told how you plan to use their personal data
- Performance of a contract: they are your customer, and you need to send them a bill
- Legitimate interest: they are a customer, lead, applicant, etc. and you want to send them information related to that status
- Other reasons: Learn about all the possible reasons here
You need to track that reason for any given individual and their set of data.
In Zengine there will be two mechanisms for doing this:
- Portal Consent - We are building new features around obtaining and storing consent when using portals (see more below).
- Custom fields - You can create custom fields for any contact stored in Zengine that allows you to track the lawful basis. In the case where you obtain consent outside of our portal system (such as verbally or on paper), you can add additional fields to store the date, upload proof of signature, or any other materials you need to prove the scope of consent.
Consent [Learn More]
Under GDPR requirements where processing is based on consent, the data controller must be able to demonstrate that a data subject has consented to the processing of his or her personal data. This means you must do all of the following:
- Provide notice of data collection and planned use.
- Gain an affirmative opt-in.
- Log the consent.
In Zengine, webforms, application forms, submission portals, and review portals have all been updated with a new privacy notice and consent feature. (To enable this Portal Consent feature for submission portals, see the article User Consent Messaging (Submission Portal).)
Typically, each portal type will be used to collect different types of information from people, which can be used for different purposes. Therefore, you can create a specific privacy notice for each portal that you publish to your constituents. Within this privacy notice, you have the option to include hyperlinks to privacy notices on your website.
Portal users are required to affirmatively opt-in (check a box) prior to creating an account or submitting information. Contacts existing in the system prior to enabling this feature on a portal will be prompted and required to opt-in before proceeding to the portal the next time they log in (after consent messaging is enabled for a specific portal).
You will be able to export a report that includes the consent date and privacy notice language for each contact linked to the portal: see the article User Consent Reports (Submission Portal).
Withdrawal of Consent, Restriction of Processing, and Objection to Processing
If your contact withdraws consent, you can always add a custom field to a form that indicates that withdrawal and the date the consent was withdrawn.
Note that if consent is withdrawn for email communications, you should ensure that custom field is used in any filter for bulk or auto email.
Similarly, you can do the same when a data subject requests a restriction or objects to process, so you need to store the data but can’t use it.
Deleting Personal Data
Right to be forgotten
Under GDPR citizens have a lawful right to be forgotten; in other words, any user can request that their data be removed from any and all systems. This right is not absolute and only applies in certain circumstances, which you will need to determine for the data you are storing.
Limited retention
GDPR requires that personal data is retained only for the period of time necessary. If you decide on a limited retention period, you will be responsible for deleting the data appropriately.
How do I delete data from the system?
The Zengine platform provides the following tools to administrators in order to remove data from the system:
- Delete a form (and all records/data contained in that form): Forms
- Delete records individually: Delete a Record
- Delete records in bulk using the Bulk Actions Plugin: Bulk Actions Plugin
- Deleting linked records: Deleting Related Data
- Delete attachments or uploaded files from a record: Delete Files
Upon deletion, the data will be immediately unavailable to ALL workspace users. When specifically deleting a Form, all records contained within that form will be deleted also. When deleting a workspace, all forms and their records are deleted. Data will be permanently deleted in a GDPR compliant way from all downstream systems within 60 days.
Along those lines, if you choose to cancel your Zengine account, all workspaces, forms, and records will be deleted in which you are the owner. Data will not be deleted if your contract expires. This is a manual process, meaning the data must be proactively deleted via one of the methods described above.
Access & Portability
Users can, at any time, request access to the personal data that you are storing about them. Personal Data is anything that helps identify a user, such as a name and an email.
In Zengine, data can be provided using the following tools:
- Exporting Data to CSV
- Downloading Files Individually from a Record
- Downloading Files from Many Records using Bulk Actions
Right to Accuracy - Updates
Under GDPR, users are able to request that you modify or otherwise update his or her personal data if the data is inaccurate or incomplete.
In Zengine, administrators have the ability to update records individually and in bulk using the following tools:
Common Questions
What happens to my data if I leave Zengine?
(1) You can export all data and consent records. When your account is canceled, data will be deleted as described above. Please refer to our privacy policy for more information.
(2) When your account is canceled, any data in any workspace that you own will be marked for deletion, and permanently deleted in a GDPR compliant way within 60 days.
How do I sign a Data Processing Agreement with WizeHive?
GDPR requires that controllers establish a Data Processing Agreement with any software provider processing data on their behalf. If you wish to sign a Data Processing Agreement with WizeHive, please contact privacy@wizehive.com.
Comments
0 comments
Please sign in to leave a comment.