The European Union's General Data Protection Regulation (GDPR) has been with us for a while now. If you need or want to comply with this regulation, your Databank gives you a leg up in meeting that goal.
Because many of thedatabank's clients do not have relationships with EU residents, we would not characterize our products as "out of the box" GDPR ready. However, having a Databank definitely helps address GDPR rights, using out of the box functionality available in the software, and some best practices that will meet other GDPR standards.
Below are the basic GDPR rights, and how your Databank helps address them:
Adherence to GDPR Basic Rights:
- The right to be informed about the collection and use of personal data
Databank clients should be aware of how they're using contacts' data, e.g., for email communications, to help with volunteerism, etc., so that they can communicate this usage on their web site and in other communication channels. Fundraising clients should reveal that donor information is passed on to a payment gateway in order to process credit card and electronic check (aka ACH or EFT) transactions.
- The right of access to their personal data and supplementary information
The Contact Roster, Fundraising Roster, Activity Roster, and Custom Table Rosters make it relatively easy to provide this information in printed form to a contact who asks for it.
- The right to rectification of inaccurate personal data or completion of incomplete data
In a system such as the Databank, this is simply data entry to edit corrections into a contact's record.
- The right to erasure of personal data
Deleting the contact accomplishes this. Clearing fields would accomplish this for contacts that only want specific data erased.
- The right to restrict processing which allows an organization to store data but not use it
There is little processing in your Databank, as it primarily records and reports interactions with contacts. Unless a client has custom processes written for them, processing mainly consists of preparing and sending emails for newsletters, fundraising solicitations, calls to action, meeting invitations, and communications regarding volunteer activities. So for the most part, the right to restrict processing is handled by managing subscriptions, or unsubscribing altogether. Every PowerMail includes a link to manage subscriptions or unsubscribe.
For clients that do postal mailings, make use of the "Do Not Mail" preference in the Personal page. Use it to exclude contacts from postal mailings.
- The right to data portability which allows individuals to safely and securely obtain and reuse their own data for their own purposes
We interpret this to mean the contact should have a means to request an electronic version of their data. This can be accomplished via the Export function, which creates a series of comma-separated-value (CSV) files.
- The right to object to processing based on legitimate interests, direct marketing, and for purposes of research
- Rights in relation to automated decision-making and profiling
Additional Tips for GDPR Compliance:
- In Form Builder forms, do not use the option to automatically subscribe contacts to publications, and do not pre-check publications to subscribe to. GDPR does not consider either of these to be valid opt in.
- Send an email to current EU residents in your contact list, soliciting them to confirm their subscriptions. Unsubscribe contacts who do not respond, or who respond in the negative. Record responses in your Databank.