GDPR compliant community engagement with EngagementHQ
Bang the Table’s EngagementHQ offers all the features you need to comply with the European Union’s General Data Protection Regulation (GDPR).
The GDPR protects the fundamental right to privacy and protection of personal data. It introduced robust requirements that have raised standards for data protection and security. GDPR came into effect on the 25th of May 2018 and applies to organisations worldwide that come into contact with any persons from the EU; with non-compliance resulting in massive fines.
There are a few key terms to familiarise yourself with around the GDPR.
You are the Data Controller
If you use EngagementHQ or any other online engagement system then you are seen as a Data Controller. As the Data Controller you have the responsibility for the protection of the personal data of your community. With such responsibility comes the need to have confidence over how your community engagement platform processes personal data.
Bang the Table is the Data Processor
We are seen as a Data Processor for the personal data of your community that is processed within EngagementHQ. Our mission is to make sure our customers have all the tools required to shape their data processing as they see fit. Our customers stay in control, we handle the technical side.
Your community are the Data Subjects
Individuals whose personal data is being collected are the Data Subjects. The GDPR focuses on ensuring that the right of data subjects are protected through adequate data consent and access rights.
How EngagementHQ helps you achieve GDPR compliance
- Explicit consent is built into EHQ allowing collection of personal details
- We are equipped to handle your data subjects’ requests for access, correction, porting, restriction or deletion as per your policies
- We only store anonymised data for benchmarking so we do not have to store your community’s data beyond the duration of our agreement with you
- Participants can access their profile with a link
- Our Information Security Management System is certified ISO 27001:2013 guaranteeing appropriate technical and organisational measures are in place for the protection of your data
- Bang the Table is equipped to support Data Processing Agreements (DPAs) that meet GDPR Requirements (for EU clients)
What comes next?
- We are ready for any data subject requests authorised by you via our helpdesk, firstname.lastname@example.org
- You can contact us with any further questions around the EU GDPR, email@example.com
Q. Does Brexit mean that GDPR will not apply in the UK?
GDPR will continue to apply till the end of March 2019 when the UK officially leaves the European Union. The UK will establish a new data protection bill which will apply after that date.
Q. Does GDPR only apply to organisations within the European Union?
No, organisations without a presence in the EU are still subject to the GDPR if they process personal data in connection to individuals living in the EU.
Q. What is a Data Processing Agreement and do we need one?
Under the GDPR, Data Controllers may only work with Data Processors that provide “sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the Data Subjects.”
Data Controllers are obliged to enter into a written contract, the Data Processing Agreement, with each Data Processor they work with.
Broadly, the content of the Data Processing Agreement must set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data to be processed, the categories of data subjects and the obligations and rights of the controller.
Q. How can we remove a participant’s data?
You can do so by emailing our helpdesk at firstname.lastname@example.org.
We will only remove a participant’s data when authorised by you to ensure that this meet’s your organisational policies. We will never act without your explicit permission.
Please be aware that once removed, these participants will not show up within the PRM and their contributions would be completely anonymised within the system with no any possibility of reversal. Contributions by these participants will be displayed as “Posted Anonymously” on all reports.
Q. Is there any way to delete a participant’s responses?
Yes, we can delete a specific participant’s responses. Please request this by emailing our helpdesk.
Please note that we will only do so when authorised by you to ensure that this meet’s your organisational policies. We will never act without your explicit permission.
Q. Do you use sub-processors? Which ones?
In order to make EngagementHQ work most effectively for our clients, we utilise a range of third-party services (sub-processors in GDPR parlance) for diagnostics, performance management, hosting, support and other specialist functionality.
We have ensured that all of the sub-processors we work with have robust security measures in place supported by one or more internationally respected data security standards such as ISO 27001/17/18, SOC 1/23, Cyber Essentials Plus, CSA etc. We have also put data processing agreements (DPAs) in place with each of them.
The list of all third party service providers used to support EngagementHQ is available at http://helpdesk.bangthetable.com/privacy-data-and-information-security-moderation-terms-and-conditions/ehq-3rd-party-service-providers. Each service provider is listed with a brief description of what the service does. If you would like access to more detail including data shared and compliance details of each of the services listed please do not hesitate to email us.