The General Data Protection Regulation has been in effect since May 25th, 2018 in all EU member states to harmonize data privacy laws across Europe.
This new regulation applies to any individual or organization that holds data on any citizen (voter, members, volunteer, staffers, voter, etc).
Under the GDPR, if you as an individual, your company or organization decide ‘why’ and ‘how’ personal data should be processed, then you, your company or organization is considered a Data Controller.
YOUR PRIVACY DASHBOARD
Your campaign settings has a built-in Privacy Dashboard with five key features to help with your GDPR governance and accountability.
1. DATA PROTECTION CONTACT DETAILS
The account owner is listed by default as the Primary Data Controller.
Click on > icon next to the Data Protection Officer field to update the name and email address of your DPO.
2. PURPOSES FOR COLLECTING PERSONAL DATA
Within the same dashboard, you can map the individual personal data fields with the legitimate, lawful purpose for processing that information, in compliance with Article 13 section 2.
There are three default system collection purposes:
- Campaign Relationship Management
- Management of Campaign Demographic Information
- Political Campaign Management
You may create custom data collection purposes if needed.
Simply click any of the data points, which will open the dialog below.
Then click on the + icon to create a custom data collection purpose:
3. REVIEW YOUR CONSENT SETTINGS
The e-signature consent feature is available through the Ecanvasser app.
You may capture a person's consent along with their e-signature as evidence of consent should you need to contact a person in the future for a specific purpose,
with an opt-in approach.
There are four default consent options associated with the e-signature capture, each option has clear and unambiguous text that explains the purpose for collecting the e-signature:
- to be contacted regarding ongoing issue(s) which the individual has reported*
- to receive updates regarding this campaign for the duration of the campaign
- to receive news updates regarding this candidate
- to receive information regarding volunteer events**
On your campaign settings page, you can control which consent is being captured by toggling the consent types* on or off.
*Consent to receive updates on an issue is only presented after an issue has been logged via the mobile app.
**Consent to receive Volunteer Updates is only presented a person has indicated they are a volunteer
4. RECORD OF PROCESSING ACTIVITIES
The record of processing activities allows you to make an inventory of the data processing and to have an overview of what you are doing with the concerned personal data, which will assist you in meeting your Data Controller obligations, reference article 30 of the GDPR.
Again, within your privacy dashboard, you can both view and update your Processing Activities Record.
To update the record, Click on the UPDATE DATA RECORD. This is necessary when the personal data that is being collected is classified as "special category".
To view the record, click on the "down" icon and the record will be downloaded in PDF format.
You are obliged to safely and permanently delete personal data once the purpose for processing that data has expired.
To facilitate this, there is an option to anonymize your complete contacts data set. There is an option to either include or exclude contacts that have given you consent to contact them. Once your data set has been anonymized, the aggregated data related to those contacts is still available in the Analytics page.
6. PERMISSION SETTINGS
It is recommended to review the permission settings for each member role within your account such as creating new contacts, editing contacts details or deleting contacts or houses. The permission settings is accessible via the Customize page within the Ecanvasser dashboard.
RECOMMENDED GDPR PRACTICES
Our specialty is building world class software for our global base of customers.
Whilst we are definitely not legal experts in the GDPR, we would like to share with a few GDPR practices that our customers have followed in the past.
1. Data Minimization
With GDPR, ensure that the personal data that you capture is adequate, relevant and limited. Check that you are only storing the minimum amount of data required for your purpose, called Data Minimization.
We recommend that you review all your Custom Fields, and remove any fields that do not meet this requirement.
2. Subject Rights
Under the GDPR, individuals have the right to see what information you hold about that person. In response to a Subject Access Request, you can share all personal information that you hold about that individual by viewing that persons data record on the Voter Database. Individuals have the right to have their data updated or removed, which you can do through editing or deleting that persons record, again from the Voter Database.
3. Storage Limitations
All of your campaign data is securely stored in an encrypted cloud based database for the duration of your contract.
You can remove any information which you no longer require including Voter, houses and imported files by deleting these from the dashboard using a bulk delete action.
This will be removed instantly from the dashboard and app, and permanently removed from the database within one month.
You can also use the Anonymization option as detailed above.
4. Training & Awareness
As a Data Controller, you need to have Data Protection training in place for all your team members. A lot of security vulnerabilities involve cooperation of an unwitting person with access to internal systems.
Make sure your team are aware of these risks.
Not only should you provide training to your team including volunteers, you also need to demonstrate that this.
5. Appoint a DPO
A DPO is required in three scenarios:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the business consist of processing operations which, by virtue of their nature, scope, and/or purposes, require regular and systematic monitoring of data subjects on a large scale, or
- the core activities of the business consist of processing on a large scale special categories of data (sensitive data) pursuant to Article 9 and personal data relating to criminal convictions or offenses pursuant to Article 10.
If a DPO is required, he/she DPO should have knowledge of GDPR guidelines as well as knowledge about the internal processes that involve personal information.