RELATED IDEAS
GDPR Compliance in Ideas Portal
Under GDPR rules we need to be able to capture "Consent" for the holding of personally identifiable data. As we are able to hold Name and Email addresses, this constitutes PII.
As part of the portal therefore we need:
1) the ability to add a consent statement when people register for the portal or add ideas
2) The ability to capture the fact they have given consent and the date
3) the ability to delete people who have registered for the portal
4) the ability to provide a report of what information we hold about a person when we receive a subject access request.
-
ADMIN RESPONSEJun 1, 2018
It is now possible to configure ideas portals to capture additional consent. This is helpful if you wish to use portal user information outside of Aha! It is also now possible to delete portal users upon request directly from the Portal users tab.
Hi Chris, you say that the name and email address provided while signing up for an idea portal is not used by Aha! for other purposes. Is there anything in the privacy policy to this effect? All I see in there is a statement that personal information can be used for many purposes, including research. I assume that statement is meant to apply to customers of Aha! (and not users of an ideas portal) but the privacy policy isn't clear on this point.
Are there any updates to this. We are specifically looking for ways to add a consent statement preferably when the data is collected (email, first / last) or at least in the confirmation email. Your privacy policy states that we are responsible for obtaining consent - but you provide no mechanism to achieve this in a compliant way.
Second we need a way to make withdraw a simple granting consent. Forcing users or customers to put in support requests does not satisfy this requirement
It would also be best if there was an unsubscribe link in all of the emails. This could point to the same location as the core link in the email, but using the unsubscribe makes it clear that this where to go to unsubscribe from a thread.
The ICO guide linked in this thread provides excellent resources regarding all of these items
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/
may help in terms of understanding the consent process
Hi Chris,
Thank for the feedback. I think ,my issue here is that its not "easy" to manage the PII data in AHA from a Data Processor or Controller perspective.
There is no specific "Consent" statement which is absolutely required under GDPR which informs the user of how their data will be stored and used
There is no way of easily performing a subject access request search when someone asks - what do you (and AHA) hold about me
There is no easy way of doing a bulk delete if someone objects to us holding said data
Thanks
Ben
Aha! has a Data Processing Agreement (DPA) available for EU customers who need one - contact support@aha.io for that.
Signing up for an ideas portal by providing a name and email address is an unambiguous and affirmative action that the user wishes that information to be processed in the context of the idea portal. This information is not used by Aha! for other purposes, and if it were to be used for other purposes then additional consent would be required.
I disagree that this already exists as GDPR calls for the person to give explicit consent to a privacy policy that the data controller (those who contract with Aha to use the product) creates and also reflects the policies that you operate to as the data processor (in case you use it in any other way). This cannot just be implied through signing into a portal and not knowing how your data will be processed.
GDPR also requires the ability to withdraw consent so a mechanism must exist to do that.
The GDPR Right to be forgotten needs to be considered as although we can esnure that the data is deleted we would need to know that Aha and your service providers will also delete that data.
Here are the answers to your requests: