GDPR: A user guide for the latest CiviCRM extension

As many of you reading this will know, the CiviCRM community has been developing a communications extension to make it easier for users to work towards GDPR compliancy. You can read CiviCRM's blog on the GDPR and the extension here

Circle is installing the extension as standard for all of our clients and although it's important to note that it won't automatically make your organisation GDPR compliant, if used properly, it can help you to become compliant.


Setting ​p​​​ermissions
GDPR settings dashboard
Data policy
Terms and conditions (events and contributions pages)
Contacts without activities
Searching group subscriptions by date range
Communications preferences
GDPR tokens
GDPR summary tab on records
Forget Me button


So here's the lowdown on what the new extension includes...

  • A new GDPR tab in the contact summary, which displays the group subscription log for the contact, and tells you the date(s) on which the contact last accepted your organisation's data policy and updated their communications preferences
  • User-friendly communications preferences page
  • Four new tokens for use in mailings
  • Allows you to record the preferred communication medium for each group (currently, CiviCRM supports include or exclude from a group, but it does not allow users to select the communication medium that should be used)
  • Allows you to record the point of contact for data protection for your organisation
  • Enables the custom search 'Search Group Subscription by Date Range'
  • Allows you to search for contacts who have not engaged in specific activities for a set time period
  • Prompts acceptance of your organisation's data policy/event terms and conditions when a contact logs in or registers for an event, and records these in the contact's GDPR summary tab, along with a copy of the data policy/terms and conditions agreed to (NB: this capability is currently Drupal-specific)
  • Includes 'the right to be forgotten', which allows CiviCRM users to easily anonymise a contact, hiding any personal details, but retaining financial and other history

So there's a lot - and we've created the following handy guide to ensure you can all get the very most out of the extension.

Setting permissions

Once the extension is installed, you will first want to set the Civi GDPR access permissions. You can do that at <yoursitename> Administration > People > Permissions

Scroll down and you'll see the new GDPR access options:

Then you need to decide which users should get these permissions - just tick the checkboxes next to each to enable them, and save.

GDPR settings dashboard

Now go to your Civi site. First, you'll notice the new GDPR Dashboard menu item under 'Contacts':

When you click on this, you'll be taken to the GDPR settings dashboard, which looks like this (this is just the first three sections of the page - there are five in total):

When you first arrive at this page, a message will pop up in the top right-hand corner, prompting you to complete your organisation's GDPR settings.

The first item you can see is 'Point of Contact', which should be your organisation's point of contact for data protection. The red asterisk next to the field name indicates that this information is mandatory.

The next section is 'Activity types'. This is where you can set up a search to find contacts who haven't engaged in certain activity types for a specific time period. For example, you may want to search for all individuals who haven't received a bulk mailing, made an enquiry, or registered for an event in the last 365 days.

Section three is 'Forget me'. This is where you set up the name you would like to be applied to all contacts who request anonymity. You can also specify here that whenever a contact is anonymised, an email is sent to your organisation's point of contact for data protection, notifying him/her of this action. (More on this process below.)

The second half of the GDPR settings page looks like this:

Data policy

The 'Data Policy' section refers to your organisation's data policy (needless to say!) and any terms and conditions you might ask individuals to agree to. Civi asks you to upload a copy of your Data Policy, and when you do this, you'll notice a checkbox with a note below:

If you tick this checkbox, the policy will appear on the Communications Preferences page, so that users can review and agree to it. When they do, Civi will record this on their record as an activity, along with a copy of the updated policy.

Terms and conditions

The last section is where you can set up terms and conditions for your event registration and contribution pages. Civi asks you to upload a copy of your terms and conditions, and you can enable these for every event page and/or every contribution page.

If you set up terms and conditions for your events, when a user registers online, they will be asked to review and agree to them:

If the user ticks this checkbox and completes registration, the event terms and conditions acceptance will be added to their record as an activity:

It's a similar process for contributions pages. You'll notice a new 'Terms and Conditions' tab when you go to configure one of these pages: 

Click on this tab, and you can edit the terms and conditions settings for this specific contribution page:

You can change your GDPR settings whenever you like. Once you've saved them, your GDPR dashboard will look something like this:

Contacts without activities

You can see here that there are 134 records who haven't had / engaged in various specific activities for 200 days. The number '134' to the right of the activity types is a link, and when you click on it, Civi will show you a list of those records, which looks like this:

If you select all of these records (by checking the radio button next to 'All 134 records'), you can then select from the 'Actions' drop-down menu just below. Do that, and the menu will look something like this:

You can then choose to apply a specific action to that group - whether it's email them, delete them, or add them to a smart group.

Searching group subscriptions by date range

If you go back to your GDPR dashboard page, you'll notice that you can search group subscription by date range. Click on this, and you'll be taken to a page that looks like this:

This is fairly self-explanatory - it's just a quick and easy way to search Civi for any subscription changes to groups, or to check the group status of an individual record. When you click 'search', Civi will display a list for you.

Communications preferences

Go back to the GDPR dashboard again, and the final item on the page is 'GDPR settings'. As mentioned, you can edit or update these settings whenever you like - just click on the appropriate link. Let's look at the 'Communications Preferences' settings. Click on the link, and the page will look something like this:

This is where you can set up a page where logged-in users can update their communications preferences. 

Using 'Channels', you can ask users to consent to communications via email, phone, post and/or SMS - just check the 'Enable Channels' box. Once you've done this, you'll see that you can customise the message your users see above the opt-in checkboxes.

Next, you can enable your users to opt in to specific mailing groups - again, tick the relevant checkbox. It's important to note here that this capability only works for mailing lists for which visibility is 'expose publicly'. Users will not be able to opt in to mailing lists that do not have the 'Public Pages' visibility attribute.

Finally, you can customise the message users see once they've completed this page and submitted their preferences. In terms of the GDPR, we would advise that it's important to tell users that they can update their preferences at any time by returning to this page on their user profile.

Once you've completed these sections, click save, then scroll back up to the top of the page and click on the blue 'Communications preferences page' link. You'll be taken to a Civi page that looks something like this:

This is the communications preferences page that users will now be able to update. Note that right at the bottom of the page is a copy of your organisation's data policy for your contacts to read through and accept. If and when a contact does that, this action will be logged in the GDPR summary on their Civi record. If you want to see this, complete the communications preferences page for a test record, and accept the data policy.

GDPR tokens

There are four new tokens for use in mailings, and these are in the usual 'Tokens' area when you begin drafting a new mailing. These tokens automatically add a checksum to links, so your users won't have to log in to update their communications preferences. You can find the first two tokens under the header 'Communications Preferences', and they are:

  • Communication Preferences Link (Bulk Mailing) This token creates a clickable link to the communications preferences page in a bulk mailing template, and includes a user checksum: {CommunicationPreferences.comm_pref_supporter_link}
  • Communication Preferences URL (Bulk Mailing) This token creates a plain URL, and includes a user checksum (so this token could, for example, be used for clickable images): {CommunicationPreferences.comm_pref_supporter_url}

The second pair of tokens are under the header 'Contact', and they are:

  • Communication Preferences Link As above, this token creates a clickable link in the template, with the description taken from the settings, and includes a user checksum: {contact.comm_pref_supporter_link}
  • Communication Preferences URL Also as above, this token creates a plain URL, and includes a user checksum: {contact.comm_pref_supporter_url}

You can test this functionality out by sending yourself a mailing including one of the tokens. If you don't already have one, make a record for yourself on your organisation's CiviCRM. Once you've done that, go to your record and click on 'Actions', which will open up this menu:

If you then click on 'Communications Preferences Link' in the second column, Civi will open the communications preferences page in a pop-up. Close that, and click on 'Send an email' in the first column. To include the communications preferences page link in the message, choose from the Tokens menu just above and to the right of the body of the email:

For this email, select 'Communications Preferences link' under 'Contact'.

When you receive your email, it should contain this link:

And when you click on this link, your browser will open your site's Communications Preferences page, where you can update your details and preferences.

GDPR summary tab on records

To view the new GDPR summary tab, go to any contact's record. You'll notice the tab at the end of the main menu (circled in green below):

When you click on the GDPR tab, you'll open a summary of GDPR-related activities with that contact:

This is where you can see any GDPR-related activity with the contact. You'll notice in the screenshot below that this particular contact has accepted the data policy, and that Civi has recorded the exact date and time that this happened - and you can look at the data policy by clicking on the blue link.

You'll also notice that Civi has recorded the date and time that the contact last updated their communications preferences.

Forget Me button

Finally, just above the blue summary tab is the 'Forget Me' button. Under the GDPR, individuals have the 'right to erasure' - and if the request is legitimate, organisations must comply.

The 'Forget Me' button allows you to easily anonymise a contact, which will hide any personal details, but retain financial and other history. When you click on it, the below warning message pops up, reminding you of the process. The action is irreversible:

As we saw earlier on the GDPR settings page, you can specify the name you would like to use for your anonymised contacts. You can also automate an email to your organisation's data protection point of contact whenever this button is used.

When you use this button, you will:

  • Remove the contact's name, and amend the last name to the one specified on your GDPR settings page
  • Remove the contact's identifying information
  • Cancel all active memberships, and update the status of these to 'GDPR Cancelled'
  • Create a 'GDPR Forget Me' activity

Which brings us to the end of our user guide - we hope it proves helpful to all CiviCRM users. For more, please see the CiviCRM documentation here.

As ever, if you have any questions or need further support, please contact us.

Speak to us now

Call us on 0117 909 6967 

Contact form



Find out more about the services we offer