Jadu Continuum Platform and the GDPR

The General Data Protection Regulation (GDPR) will apply in the UK from 25th May 2018, and the government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

gdpr

In preparation of meeting the requirements of GDPR, Jadu are undertaking work in our CXM, XFP and CMS products. We are working in partnership with a number of our existing customers to define the related features or enhancements required to provide GDPR compliance.

The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the Data Protection Act (DPA):

  • The right to be informed
  • The right of access
  • The right of rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights related to automated decision making and profiling

The right to be informed

In order to meet the “right to be informed” requirement a privacy note should be provided to individuals detailing how their data is to be used. A privacy note can be easily created and maintained using the tools provided by Continuum CMS, and linked to from within XFP, or embedded directly within form content as necessary. Improvements are also planned for allowing the customer to see how the data that they provide on account registration will be used.

The right of access

To meet this requirement individuals should be able to access their personal data, see a privacy notice and receive confirmation that their data is being processed. The account functionality within Continuum CMS, XFP and CXM provides individuals with the personal data stored by the system that relates to them. This includes details of forms they have submitted and cases they have opened, along with personal details such as the address associated with that account. This is a secure self-service system which provides individuals with direct access to their information once logged in.

Where XFP forms have been setup to allow anonymous submission, individuals do not need to be signed in, and form submissions are not associated with a user account. As the submission is not associated with an account it therefore cannot be re-accessed by the individual via a self-service / MyAccount homepage. Under these circumstances, details of form submissions would instead need to be retrieved by a customer services operative using the form submission reference that is provided to end users (usually provided on the forms ‘Thank you’ page or emailed receipt - both of which can be content managed). Whilst needing to be manually collated under these circumstances, this would allow for you to meet the right of access provision.

Where an individual has an online account they can access their cases and associated data through their MyAccount page via the My Cases widget or through links to their case in email notifications received. All data fields that the customer may wish to see must be given visibility for the ‘citizen’ user role.

Where the individual does not have an online account, staff will be required to search for the relevant cases to which the individual is requesting access. Once the individual’s case(s) have been identified they can be invited to sign up for an online account which will give them access to their case data.

The right of rectification

Individuals are entitled to have personal data rectified where it is inaccurate or incomplete. The account functionality within Continuum CMS, XFP and CXM provides individuals with a secure self-service system to update their stored personal details. A workflow for updating title, date of birth, phone number and address can be created within CXM, with further development planned in this area.

Corrections to past form submissions would need to be provided as a new / follow up form submission to meet the right of rectification as the user has no self-service facility to recover ‘their’ forms submissions. This process may need to be explained within form instruction text to the end user as necessary, as well as being reviewed in regards to your internal business processes so that customer services are aware of what needs to happen with newly received data. This could include the addition of routing logic based questions within the XFP forms structure, such as “Are you submitting a new XYZ or updating us with new details?”.

The right to erasure

This is also known as “the right to be forgotten” and is essentially the right of an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

Continuum CMS provides a delete account feature within the Control Center (for use by such as Customer Services). Further development will be undertaken to provide this feature to users directly on their account page. Data retention policies are already in place to remove data on login frequency.

Continuum XFP provides data retention policies functionality that can be targeted at registered users only, unregistered users only etc to allow these to be managed independently. Improvements to be able to remove a specific user's form submissions are planned and will be available in advance of the regulation changes.

CXM customers are already provided tools for compliance. Rules can be used to remove data from case fields and online user accounts can be deactivated etc. Further improvements are planned for the process by which a customer’s data can be removed upon request, as well as being able to set data retention policies for data that no longer needs to be held (rather than being rule controlled as described above currently), whilst retaining non personally identifiable data for MI & reporting purposes.

The right to restrict processing

Under GDPR when processing has been restricted, you have the right to store the personal data, but not process it further. You can retain just enough information about the individual to ensure that the restriction is respected in future.

We are working to establish what impact this requirement might have across our products.

The right to data portability

In brief, the right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.

Development is being scoped to allow users to extract case data related to an individual as a CSV file, as well as allowing a report of forms submitted by an individual to be run and made available as a CSV file.

We are working to establish whether further data should be provided in a portable format from across our products.

The right to object

Individuals have the right to object to direct marketing and processing for the purposes of scientific/historical research and statistics.

Continuum CMS allows individuals to indicate that they do not want to receive marketing emails from the organisation while registering, and this can be updated at any point via the secure self-service area. Marketing emails sent by Continuum CMS include an unsubscribe link that also updates their account preferences accordingly.

Further improvements are planned in CXM to make it easier for customers to unsubscribe from email notifications and for customers using CXM to fulfill requests and tasks that relate to customer data.

Rights related to automated decision making and profiling

GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without any human intervention. At present, Continuum CMS, XFP and CXM do not contain automated decision making, only data based rules and routing within CXM and XFP for potential routing of submitted data. We will however keep this user right in mind as part of future work we are undertaking in the areas of Machine Learning & Artificial Intelligence that we have showcased at recent Jadu Academy user groups.

Summary of current & planned functionality

 

Current functionality

Planned functionality

The right to be informed

Creating and maintaining a privacy note in CMS, linked to from XFP.

Providing a privacy note on account registration

The right of access

Account page that provides details of information submitted by the individual in CMS, XFP and CXM.

Anonymous XFP forms can be exported by Customer Services / Administrators based on form reference provided.

None currently known.

The right of rectification

Change details form to update held details in CMS, XFP and CXM.

An XFP form to update non-account based information supplied.

A CXM workflow can be created for updating title, date of birth, phone number and address.

Improvement to enable customers to update details through their online account.

The right to erasure

Delete account feature within CMS/XFP, available to Customer Services / Administrators only.

Login data retention policy in CMS.

XFP data retention policies for registered and unregistered user form submissions.

CXM rules can update or remove data from case fields and online user accounts can be deactivated.

Delete account feature offered via individual’s account page in CMS/XFP.

XFP data retention policies targeted at a specific individual’s data.

Data retention policies in CXM.

Improvements to the process by which a customer’s data can be removed upon request in CXM.

The right to restrict processing

None.

None currently known.

The right to data portability

Semi-automated process to provide data using CSV case export and manual extraction.

Form submission report in XFP and automated case and person data export to CSV from CXM.

The right to object

Individuals can opt out of marketing emails whilst registering in CMS / non-CXM environments.

Unsubscribe link in marketing emails sent via CMS.

Improvements in CXM to allow individuals to opt out of future updates / notifications.

Rights related to automated decision making and profiling

No automated decision making takes place, only data based rules.

None currently known.

 

Share this post

About

The official Jadu Blog (a peek inside). The musings and magic of the Jadu team and log of new web apps, customer super hero stories and mobile web marvels.

Recent posts

Archives

Tags