Data protection and privacy is getting more attention in the software world and the European Union is leading the way with the new General Data Protection Regulation, in effect on May 25, 2018. The one overarching principle made clear in the opening sentence of the GDPR is: "The protection of personal data is a fundamental right." We anticipate over 80% of Nimble AMS customers will be affected by the GDPR as many are collecting, or have, data from European citizens. Now, both Salesforce and Nimble AMS are ready to help you put the right pieces in place in order to be compliant. It is important to keep in mind that Nimble AMS is only a piece of the puzzle when it comes to ensuring compliance with the GDPR.
Assessing Your Role
As you begin assessing what your association should do to comply with data protection and privacy regulations, it is important that you learn about the regulations, and seek council where needed. Here are a few resources to get you started:
- Get to Know EU Privacy Law Trailhead (external)
- Accelerate your journey to GDPR readiness with Salesforce (external)
Understanding Your Responsibilities
In the world of the GDPR, your association is known as the "data owner" and Nimble AMS and Salesforce together are known as the "data processor". Each has certain responsibilities to ensure your constituent's data is secure and private. Various regulations can include principles that are similar to one another. So we give you guidance on some of the common privacy principles.
Your constituent's data is their own, and you should ask for their consent to use it. Consent should be explicitly requested from constituents, and they should be given very clear options to consent, or not.
You may need to request consent for multiple different uses of constituent data, both short term and long term. For example: You might have a general consent request for gathering, storing, and acting on constituent's contact information, but a different consent to use their social media information as part of an upcoming social media promotion using a third-party service. As another example: You are most likely using web cookies to provide a rich experience for your constituents; you will need their consent for this as well.
Additionally, consent should be given on a continual basis, as you continue to house and work with constituent's data. For this reason, constituents should be prompted regularly to consent to ensure they are continually aware of how you use their data.
You should determine what consent options you should track—and when—based on your association's needs. These are just a few examples to serve as a guide.
Fairness and Transparency
- How you track them (with web cookies and otherwise)
- What you will do with their data
- How they can update their data
- How they can request a copy of their data
- How they can ask to be forgotten if they no longer want their data to be identifiable.
You should also review and document how you use constituent data. For example: To what third party solutions do you send data? Do you have copies of constituent data in an external database? Does your Support department keep constituent records in a different system?
Constituents can request that you disallow access to—and modification of—their data. For example: You might use a field on a record or an automation to ensure that their data is not further processed by any party. Constituents can also, in certain cases, object to the processing of their data. For example: If the processing of constituent data is for direct marketing purposes.
Data Updates, Exports, and Anonymization
Constituents should be able to easily update any of their data to ensure it is accurate. Constituents can also request a copy of their data in case they want to take their data elsewhere, or just see what data you have collected from them. Finally, constituents can ask your association to forget them altogether. This could mean manually deleting some, or all, of their data from Nimble AMS, but more likely, anonymizing their data so needed financial information is retained, but cannot be used to identify the constituent.
Implementing Privacy Solutions
Learn about the guidance and tools in Nimble AMS and Salesforce that help your association comply with various data protection and privacy regulations.Learn more.
- An anonymize individual process has been added so staff can process constituents' requests to be forgotten.
Anonymizedhas been added to the Contact object so you can track whether a constituent's personally identifiable information has been anonymized.
- When constituents request their data, a task is created and related to their account for you to track when the data is due. You can set the number of days from a data export request until the related task is due in accordance with data protection and privacy regulations. Learn more about how staffView a Data Export Request or how you can set up a Data Copy Request in Community Hub.
- The following components have been added to Community Hub:
Things to Keep in Mind
- Though Salesforce and Nimble AMS give administrators tools to keep constituents’ personal data secure and private, it is up to your association to determine how you will comply with data protection and privacy regulations, like the GDPR.
- With the Spring '18 release, Salesforce added the Individual object which is related to a constituent's account and is intended to include consent tracking fields related to data protection and privacy matters. At this time, the Individual object is inaccessible to those with community licenses, that is, your constituents. To help you track your constituent's consent in the interim, consent tracking fields have been added to the Contact object. We are working with Salesforce around the limitation, and plan to transition to using the Individual object as soon as it is made available.
- Anonymizing individuals is only available in Lightning Experience. Learn more.
- You will be able to anonymize individuals and use consent specific fields in Staff View. If you are using Self Service, there are options available to you such as configuring the Self Service page layout to provide a central place for consent preferences.
- Though you should share with constituents what you do with web cookies and attain their consent to use them, you are not required to share what you do with actual, edible, cookies. We recommend you assess the edible cookies at your association and decide how best—if at all—to share them. As your data processor, we can assure you that sharing all types of cookies is a best practice, and should be done often.