If your program handles personal data of any person located in the European Union, the EU General Data Protection Regulation (GDPR) requires your organisation to comply with the regulation, regardless of where in the world your organisation is located. You are well advised to familiarise yourself with the regulation— there are many helpful, plain-language guides online. The full text of the regulation is available on a neatly arranged website here.
Complying with GDPR may not be relevant for you— in any case, we still encourage best-practice protection of personal data wherever you are. There are likely to be other data protection laws that do apply to your organisation. This article highlights Award Force features to help you comply.
Data protection preparation checklist
Review the configuration of the following features available in Award Force to help you with data protection compliance. Summary of steps, with further detail below:
- Agreement to privacy policy, activation
- Consent to receive notifications and broadcasts, activation
- Subscription preferences, familiarisation
- Cookie notice and consent, activation
- Fields containing personal data, review and activation
- User permanent deletion, familiarisation
- Sign a Data Protection Addendum with Award Force
Agreement to privacy policy
To obtain explicit agreement from users to our standard (GDPR compliant) privacy policy, cookie policy and terms of service, activate this feature as follows:
- In the Manage workspace, go to Settings > Users > Registration
- Tick the checkbox Display checkbox requiring agreement to terms
- You may also choose to Modify default text, and/or linked policies--please see more details regarding updating the Privacy Policy here
- Click Save
With this feature activated:
- New users will be required to tick a box when registering, that they agree to the terms
- Existing users, when they next log in, will be asked to agree to the terms
- Users' agreement is recorded with the text they agreed to, timestamped, on their user record
Consent to receive notifications and broadcasts
To obtain explicit consent from users to receive notifications/broadcasts, activate this feature as follows:
- In the Manage workspace, go to Settings > Users > Registration
- Tick the checkbox Display checkbox for optional consent to receive notifications and broadcasts
- You may also choose to Modify default text
- Click Save
With this feature activated:
- New users can optionally tick a box when registering, that they consent
- Existing users, when they next log in, will be asked to consent
- Users' consent is recorded with the text they agreed to, timestamped, on their user record
Related: Privacy policy and terms of service
Subscription preferences
All broadcasts and notifications sent from Award Force include a link in the email footer to "Unsubscribe from our emails". This link takes the recipient to a preference centre on their account. You can see what this looks like and the options as follows:
- Log in to your account, click on your name at top right, then Profile
- Go to the Preferences tab
There is an article linked from that tab, that explains for users the importance of your broadcasts and notifications. You can see that article here.
Cookie notice and consent
To obtain explicit consent from users to the use of cookies, activate this feature as follows:
- In the Manage workspace, go to Settings > Users > Registration
- Under the 'Cookies' heading, select the Request explicit consent to cookies from users checkbox
- Click Save
- You may also choose to modify the default consent text by going to Content > Content blocks in the Manage workspace and clicking on Cookie notice to edit
With this feature activated:
- Users that have not made a consent selection will be shown a "Cookies in use" message at the top of the page, with option to Allow cookies
- Users' consent is recorded with the text they agreed to, timestamped, on their user record
- Users can change the cookie consent option at any time by going to the Preferences tab on their Profile
Related: What does the 'Cookies in use' banner mean?
Fields containing personal data
You should review all fields configured on your program for whether they are collecting and storing personal data. On field configuration there is a Data protection option that you can set to one of:
- Standard
- Elevated (personal data)
- Maximum (sensitive personal data)
There is more detail about data protection on fields here.
User permanent deletion
Under GDPR and other data protection laws, data subjects (your users) have the right to erasure, also known as the ‘right to be forgotten’. A user has the legal right to ask you for their personal data to be permanently deleted from your records, which you must action. Users are not able to action this permanent deletion themselves, but you can permanently delete a user from Award Force on their behalf.
Find more details about the permanent deletion of users here.
Data Protection Addendum with Award Force
To comply with GDPR, you need to have a Data Protection Addendum (DPA) in place with us. With respect to the handling of personal data in your account— under GDPR, your organisation is the data controller, and Award Force is the data processor. Article 28 requires a contract that binds the processor (that’s Award Force) to apply appropriate data protection measures when processing data on behalf of the controller (that’s you).
Please note the DPA is incorporated into our standard agreement Ref: Standard agreement, clause 1.8, the DPA, which means it is already in place and signing a separate document is not necessary.