Everything you need to know about EngagementHQ and GDPR compliance
There are a few key terms to familiarise yourself with around the GDPR.
You are the Data Controller
If you use EngagementHQ or any other online engagement system then you are seen as a Data Controller. As the Data Controller you have the responsibility for the protection of the personal data of your community. With such responsibility comes the need to have confidence over how your community engagement platform processes personal data.
Bang the Table is the Data Processor
We are seen as a Data Processor for the personal data of your community that is processed within EngagementHQ. Our mission is to make sure our customers have all the tools required to shape their data processing as they see fit. Our customers stay in control, we handle the technical side.
Your community are the Data Subjects
Individuals whose personal data is being collected are the Data Subjects. The GDPR focuses on ensuring that the right of data subjects are protected through adequate data consent and access rights.
How EngagementHQ helps you achieve GDPR compliance
- Explicit consent is built into EHQ allowing collection of personal details
- We are equipped to handle your data subjects’ requests for access, correction, porting, restriction or deletion as per your policies
- We only store anonymised data for benchmarking so we do not have to store your community’s data beyond the duration of our agreement with you
- Participants can access their profile with a link
- Our Information Security Management System is certified ISO 27001:2013 guaranteeing appropriate technical and organisational measures are in place for the protection of your data
- Data Processing Agreements (DPAs) that align with GDPR Requirements coming this week (for EU clients)
What comes next?
- We will share our Data Processing Agreement with you, this is a key requirement of the GDPR
- We are ready for any data subject requests authorised by you via our helpdesk, email@example.com
- You can contact us with any further questions around the EU GDPR, firstname.lastname@example.org
Q. Does Brexit mean that GDPR will not apply in the UK?
GDPR will continue to apply till the end of March 2019 when the UK officially leaves the European Union. The UK will establish a new data protection bill which will apply after that date.
Q. Does GDPR only apply to organisations within the European Union?
No, organisations with no presence in the EU are still subject to the GDPR if they process personal data in connection to individuals living in the EU.
Q. What is a Data Processing Agreement and do we need one?
Under the GDPR, Data Controllers may only work with Data Processors that provide “sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the Data Subjects.”
Data Controllers are obliged to enter into a written contract, the Data Processing Agreement, with each Data Processor they work with.
Broadly, the content of the Data Processing Agreement must set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data to be processed, the categories of data subjects and the obligations and rights of the controller.
Q. How can we remove a participant’s data?
You can do so by emailing our helpdesk at email@example.com.
We will only remove a participant’s data when authorised by you to ensure that this meet’s your organisational policies. We will never act without your explicit permission.
Please be aware that once removed, these participants will not show up within the PRM and their contributions would be completely anonymised within the system with no any possibility of reversal. Contributions by these participants will be displayed as “Posted Anonymously” on all reports.
Q. Is there any way to delete a participant’s responses?
Yes, we can delete a specific participant’s responses. Please request this by emailing our helpdesk.
Please note that we will only do so when authorised by you to ensure that this meet’s your organisational policies. We will never act without your explicit permission.
Q. Do you use sub-processors? Which ones?
In order to make EngagementHQ work most effectively for our clients, we utilise a range of third-party services (sub-processors in GDPR parlance) for diagnostics, performance management, hosting, support and other specialist functionality.
As part of GDPR requirements as well as our commitment to transparency, we have put together a list of all third party service providers used to support EngagementHQ. The full list is available at http://helpdesk.bangthetable.com/privacy-data-and-information-security-moderation-terms-and-conditions/ehq-3rd-party-service-providers.
Each service provider is listed with a brief description of what the service does. If you would like access to more detail including compliance details of each of the services listed please do not hesitate to email us.