GDPR and Zengine
What is GDPR?
The General Data Protection Regulation (GDPR) is a new EU regulation aimed to increase the protections allotted to citizens of the European Union; mainly, their personal data. While this regulation specifically mentions EU citizens and businesses, GDPR applies to the processing of personal data of EU citizens in the EU or anyone in the EU, regardless of whether the processing takes place in the EU or not.
When does the law go into effect?
GDPR was fully implemented on May 25, 2018.
What is considered Personal Data?
Personal Data is any information relating to an identified or identifiable data subject. Names, ID numbers, IP addresses, and physical, mental, and cultural/social details about a person are all examples of Personal Data.
Who is responsible for protecting Personal Data?
In short, the “Processors” and “Controllers” manage the information of the data subjects. Depending on the activity, you may be both the Controller and Processor.
When using Zengine, applicants, reviewers, and anyone else’s data that is being stored within the system are the data subjects.
You, the administrator, are the controllers of that data. WizeHive is the processor of the data.
WizeHive & GDPR | How to use Zengine in a GDPR compliant way
WizeHive is committed to being fully GDPR compliant. Below are the requirements that you’ll likely need to meet when managing data within Zengine in a GDPR-compliant manner as a data controller.
Lawful Basis of Processing
Under GDPR you need to have a legal reason to store or use data about any person. As the controller, your reasons can include:
- Consent with notice (they opt-in after being told how you plan to use their personal data)
- Performance of a contract (they are your customer, and you need to send them a bill)
- Legitimate interest (they are a customer, lead, applicant, etc. and you want to send them information related to that status)
- Learn about all the reasons here...
You need to track that reason for any given person.
In Zengine there will be two mechanisms for doing this:
(1) Portal Consent - We are building new features around obtaining and storing consent when using portals (see more below).
(2) Custom fields - You can create custom fields for any contact stored in Zengine that allows you to track the lawful basis. In the case where you obtain consent outside of our portal system (such as verbally or on paper), you can add additional fields to store the date, upload proof of signature, or any other materials you need to prove the scope of consent.
Consent [Learn More]
Under GDPR requirements where processing is based on consent, the data controller must be able to demonstrate that a data subject has consented to the processing of his or her personal data. This means you must do all of the following:
- Provide notice of data collection and planned use.
- Gain an affirmative opt-in.
- Log the consent.
In Zengine, webforms, application forms, submission portals, and review portals will all be updated with a new privacy notice and consent feature.
You may use each portal type to collect different types of information from people, which can be used for different purposes. Therefore, you'll be able to create a specific privacy notice for each portal that you publish to your constituents. Within this privacy notice, you'll have the option to include hyperlinks to privacy notices on your website.
Contacts will be required to affirmatively opt-in (check a box) prior to creating an account or submitting information. Contacts existing in the system prior to enabling this feature on a portal will be prompted and required to opt-in before proceeding to the portal the next time they log in.
You will be able to export a report that includes the consent date and privacy notice language for each contact linked to the portal.
Withdrawal of Consent, Restriction of Processing, and Objection to Processing
If your contact withdraws consent, you will be able to add a custom field that indicates that withdrawal and the date the consent was withdrawn.
Note that if consent is withdrawn for email communications, you should ensure that custom field is used in any filter for bulk or auto email.
Similarly, you can do the same when a data subject requests a restriction or objects to process, so you need to store the data but can’t use it.
Deleting Personal Data
Right to be forgotten
Under GDPR citizens have a lawful right to be forgotten; in other words, any user can request that their data be removed from any and all systems. This right is not absolute and only applies in certain circumstances, which you will need to determine for the data you are storing.
GDPR requires that personal data is retained only for the period of time necessary. If you decide on a limited retention period, you will be responsible for deleting the data appropriately.
How do I delete data from the system?
The Zengine platform provides the following tools to administrators in order to remove data from the system:
Upon deletion, the data will be immediately unavailable to ALL workspace users. When specifically deleting a Form, all records contained within that form will be deleted also. When deleting a workspace, all forms and their records are deleted. Data will be permanently deleted in a GDPR compliant way from all downstream systems within 60 days.
Along those lines, if you choose to cancel your Zengine account using the interface all workspaces, forms, and records will be deleted in which you are the owner. Data will not be deleted if your contract expires. This is a manual process, meaning the data must be proactively deleted via one of the methods described above.
Access & Portability
Users can, at any time, request access to the personal data that you are storing about them. Personal Data is anything that helps identify a user, such as a name and an email.
In Zengine, data can be provided using the following tools:
Right to Accuracy - Updates
Under GDPR, users are able to request that you modify or otherwise update his or her personal data if it’s inaccurate or incomplete.
In Zengine, administrators have the ability to update records individually and in bulk using the following tools:
What happens to my data if I leave Zengine?
(2) When your account is canceled, any data in any workspace that you own will be marked for deletion, and permanently deleted in a GDPR compliant way within 60 days.
How do I sign a Data Processing Agreement with WizeHive?
GDPR requires that controllers establish a Data Processing Agreement with any software provider processing data on their behalf. If you wish to sign a Data Processing Agreement with WizeHive, please contact firstname.lastname@example.org.