If you are lucky enough to be one of our hosted clients, Circle is your Data Processor
and so when the GDPR
comes into force in May 2018 our relationship and in particular, Circle's responsibilities will change.
We aim to ensure that we deal with the consequences of this change ahead of time and in a way that makes things as easy as possible for you. Here's what's in store:
As we move through this change with you, we'll be providing general advice that will help you become more secure in your day to day management of personal data.
Our first piece of advice is Don't Panic! Everyone is in the same position and if you have been complying with the Data Protection Act (DPA), you should be fine transitioning to the requirements of the GDPR. And you can be sure that we're doing everything we can to ensure that from a technical perspective, you will be compliant.
However, as you start to prepare for these changes, you should document your decisions and any new practices, processes or policies that you adopt. Even if you don't amend your policies at this stage, it's a good idea to keep track of progress, both for your own sense of achievement and to show anyone whose data you hold that you are taking this seriously and are doing something to make your processes even better. Of course if the worst were to happen, and you did actually have a data breach at some point, the ability to show that you have been attempting to do the right thing would be useful.
We'll be sending you a new contract to cover some of this, and to include stronger wording on our security procedures and confidentiality agreements. The new contract will also include an annual review of key aspects of your security such as user accounts, permission levels, data subject communication preferences and so on.
Audits of your data
We’ll be carrying out regular data audits, either annually or more frequently if required. These will be looking at things like regularly reviewing roles/permissions, the processes you have in place around handling data received via online ‘sign-ups’ and the relevance of contacts receiving any direct mailings.
Working behind the scenes to make CiviCRM compliant
The CiviCRM community are producing a ‘GDPR communications extension’ that will introduce changes to the communication preferences enabling individuals to better control their personal data as specified in GDPR guidelines, ensuring directives are met. The extension is expected to be completed February 2018 – we’ll be applying this to all CiviCRM sites we host.