GDPR Compliance in Ideas Portal

Under GDPR rules we need to be able to capture "Consent" for the holding of personally identifiable data. As we are able to hold Name and Email addresses, this constitutes PII. 

As part of the portal therefore we need:

1) the ability to add a consent statement when people register for the portal or add ideas

2) The ability to capture the fact they have given consent and the date

3) the ability to delete people who have registered for the portal 

4) the ability to provide a report of what information we hold about a person when we receive a subject access request.

  • Ben Bishop
  • Feb 12 2018
  • Shipped
Release time frame
  • Jun 1, 2018

    Admin Response

    It is now possible to configure ideas portals to capture additional consent. This is helpful if you wish to use portal user information outside of Aha! It is also now possible to delete portal users upon request directly from the Portal users tab.

  • Attach files
  • Admin
    Chris Waters commented
    February 15, 2018 22:38

    Here are the answers to your requests:

    1. Since registration for an idea portal is a explicit act it is not clear that any separate consent is necessary. The personal information entered into the portal (name and email address) will not be used by Aha! for any other purpose.
    2. The date of signup for the portal is captured.
    3. Idea portal users can be deleted by Aha! upon request.
    4. A report on information stored about a person can be provided by Aha! upon request.
  • Dave Tucker commented
    March 5, 2018 17:48

    I disagree that this already exists as GDPR calls for the person to give explicit consent to a privacy policy that the data controller (those who contract with Aha to use the product) creates and also reflects the policies that you operate to as the data processor (in case you use it in any other way). This cannot just be implied through signing into a portal and not knowing how your data will be processed.

    GDPR also requires the ability to withdraw consent so a mechanism must exist to do that.

    The GDPR Right to be forgotten needs to be considered as although we can esnure that the data is deleted we would need to know that Aha and your service providers will also  delete that data.

  • Admin
    Chris Waters commented
    March 7, 2018 21:19

    Aha! has a Data Processing Agreement (DPA) available for EU customers who need one - contact support@aha.io for that.

    Signing up for an ideas portal by providing a name and email address is an unambiguous and affirmative action that the user wishes that information to be processed in the context of the idea portal. This information is not used by Aha! for other purposes, and if it were to be used for other purposes then additional consent would be required.

  • Ben Bishop commented
    March 19, 2018 11:22

    Hi Chris, 

    Thank for the feedback. I think ,my issue here is that its not "easy" to manage the PII data in AHA from a Data Processor or Controller perspective. 

    There is no specific "Consent" statement which is absolutely required under GDPR which informs the user of how their data will be stored and used

    There is no way of easily performing a subject access request search when someone asks - what do you (and AHA) hold about me

    There is no easy way of doing a bulk delete if someone objects to us holding said data

     

    Thanks

    Ben

  • Ben Bishop commented
    March 19, 2018 11:23
  • Bob Sisson commented
    April 5, 2018 15:37

    Are there any updates to this.  We are specifically looking for ways to add a consent statement preferably when the data is collected (email, first / last) or at least in the confirmation email.  Your privacy policy states that we are responsible for obtaining consent - but you provide no mechanism to achieve this in a compliant way.

    Second we need a way to make withdraw a simple granting consent.  Forcing users or customers to put in support requests does not satisfy this requirement

    It would also be best if there was an unsubscribe link in all of the emails.  This could point to the same location as the core link in the email, but using the unsubscribe makes it clear that this where to go to unsubscribe from a thread.

    The ICO guide linked in this thread provides excellent resources regarding all of these items

  • Todd K commented
    June 1, 2018 19:25

    Hi Chris, you say that the name and email address provided while signing up for an idea portal is not used by Aha! for other purposes.  Is there anything in the privacy policy to this effect?  All I see in there is a statement that personal information can be used for many purposes, including research.  I assume that statement is meant to apply to customers of Aha! (and not users of an ideas portal) but the privacy policy isn't clear on this point.