You are probably seeing a storm of GDPR related emails coming from your vendors right now. It’s a good thing and we too want to update you on what we have done to ensure your communities are compliant.
What is GDPR?
Coming into effect on 25 May 2018, the General Data Protection Regulation (GDPR) addresses the changes which have taken place in the online space over the past two decades. The GDPR replaces the Data Protection Directive which has been law across the European Union for the past 20 years. One of the main goals of the GDPR is to give individuals greater visibility into how their personal data is used and to give them control over which data they share.
Why is GDPR important?
GDPR will impact any business that collects data in or from Europe, and it doesn’t matter if the business is based in Europe or not. In order to ensure that the protection of personal data remains a fundamental right for EU citizens, the European Union will fine organizations who fail to meet their obligations with respect to handling data. These fines can be up to €20M or 4% of global annual turnover. Of course we don’t want that to happen to you….
What did CMNTY do to ensure compliance?
To ensure your community platform is GDPR ready we updated our general terms and added a few tools to it.
Here’s the full overview of what we did:
1. We added a “Data Processing Agreement” to our terms
When you run a community using CMNTY Platform you will be the “Data Controller” and CMNTY will be the “Data Processor”. To make this distinction clear and to emphasize your and our responsibilities regarding data and privacy, we’ve released a new document called Data Processing Agreement (DPA).
For your convenience, we’ve included the DPA in our sign-up and order process. This means that the next time you start a community, these new terms will automatically apply to your project. If you are currently running a community and are the Platform Owner, you can accept these new terms by visiting your platform once it has been updated to platform version 5.6.0. This will make your platform ready for GDPR compliance. We specifically say “ready for GDPR compliance” instead of “GDPR compliant”, because there are a couple of more steps for you to take.
2. We added new privacy statement tools to CMNTY Platform
If you haven’t used a privacy statement yet in your community then now is the time to do so. Keep in mind that it’s important to inform your members about:
- What kind of data you are collecting using CMNTY
- Why you are collecting this data, and
- Who is processing this data
You’ll be happy to know that we’ve made it easier for you to set up a privacy statement with a redesigned tool. And for your convenience we have supplied you with a basic privacy statement template. This basic statement should cover the most important aspects and of course you are free to use or extend it. See our help center article about privacy statements for more information.
3. We added tools for controlling data retention & the right to be forgotten
With GDPR, data may not be stored longer than absolutely necessary. Also, your members may request to “be forgotten” which means that you should destroy all data you have on them. Both of these rules are the responsibility of the Data Controller (meaning you), but of course we have tools in place that allow you to delete members or destroy data when necessary. Deleted data will be removed from the platform immediately and from our backups within 30 days. Please be reminded that deleting information from the platform alone is not enough. You should also delete any data you have about members locally or stored in other places.
Summary And Quick Checklist
CMNTY made sure that our tools are GDPR ready. To do so we introduced a Data Processing Agreement and we’ve added tools for you to be transparent with your members about their privacy. We also have tools to meet the Data retention rules and the Right to be forgotten.
To make sure your current community platform meets the GDPR privacy rules:
- Log in to your platform and accept the new GTC, SLA and DPA.
- Make sure you have set up a privacy statement as described in this article.
(Optionally, use our privacy statement template)
- Determine your data retention period and act accordingly (ongoing).
- Follow up requests to be forgotten and act promptly (ongoing).
Questions About GDPR?
We can imagine you have question about GDPR and how it applies to your community. Feel free to reach out to our support team at firstname.lastname@example.org and they’ll be happy to answer all of them.