HandsOn Connect and the EU General Data Protection Regulation (GDPR)
This article is intended for HandsOn Connect (HOC) customers that are affected by the General Data Protection Regulation (GDPR) going into effect on May 25th, 2018. It is not legal advice, just some information we believe might help.
HandsOn Connect (HOC) is committed to your privacy, keeping your personal data secure, and compliance with the General Data Protection Regulation (GDPR) which goes into effect on May 25th, 2018. GDPR is a major step in protecting the privacy of European Union (EU) residents, giving them more control over what, how, why, where, and when their personal data is used.
For illustrative purposes only, we have also provided a sample of a GDPR Notice you can use to get started with your own notice:
Let’s start by briefly describing what is what, who is who and who does what, because GDPR is extensive and depending on the role you play in interacting with the user data, you have different obligations.
First, let’s understand some key terms related to the GDPR, as defined by the UK's Information Commissioner's website:
Means data which relate to a living individual who can be identified:
|Sensitive personal data||
Sensitive personal data means personal data consisting of information as to:
|Data Subject||Means an individual who is the subject of personal data. In the context of HOC is usually means a user that has a registered account created through or used in HOC (e.g., volunteer, partner).|
A person who (either alone or jointly or in common with other persons) or entity that determines the purposes for which and the manner in which any personal data are, or are to be, processed.
If you are an individual or entity that uses HOC to deliver services to users, you are a Data controller.
In relation to personal data means any person (other than an employee of the data controller) or entity who processes the data on behalf of the Data Controller.
HOC is a Data Processor to those individuals and entities who use our services for the process of delivering services to users who are registered on a HandsOn Connect instance.
In relation to personal data means any person or entity other than:
Based on the definitions above, since HOC is a Software-as-a-Service (SaaS) and we process our client’s data, in GDPR lingo we are known as a Data Processor. Our clients control the use of their user’s data. Hence a HOC client will more likely be a Data Controller.
1. What do you need to know as a HOC client and Data Controller?
As a HOC client, and a Data Controller, who uses HOC to provide users (e.g., volunteers, partners) with services, and captures their information, especially if the user is an EU resident, there certain things you are responsible for under GDPR. We attempt to simplify them here, but please make sure to review the GDPR act and consult with your legal counsel.
First, understand that as HOC client you are most likely a Data Controller, since you, alone or with others, “determine the purposes for which and the manner in which any personal data are processed”. As such you remain responsible for ensuring the processing complies with the Act, whether you do it in-house or engage a Data Processor (e.g., HOC, Salesforce, Click & Pledge, MailChimp).
Ad HOC customer, it is likely that your main system is Salesforce, hence a lot of what you need to do to comply with GDPR is tied to Salesforce. To learn more go to:
To help meet the Data Controller requirements for GDPR, there are a couple of things you can do:
What you can do...
Obtaining Data Subject Consent
Ability to Withdraw Data Subject Consent
Right to Be Forgotten
This is probably the best-known obligation. Data Subjects have the right to have their personal data removed from the systems of controllers and processors under some circumstances, such as by removing their consent for its processing.
Salesforce provides all the necessary tools to make sure you can erase the data for a user. This task can take several steps and may vary, depending on the complexity of your contact record, if you keep user data in other objects, the different apps that use the data, and any integrations you might have internally or with third-parties.
Salesforce allows customers to delete personal data at both an organizational level and an individual level. For more information, please see:
The processor shall take appropriate measures to provide any information referred to in Chapter 3 and any communication under this article related to the data subject.
HOC as a data processor will provide any information related to:
Data subjects also now have the right, in certain circumstances, to receive the personal data that they have provided to a controller in a structured, commonly used and machine-readable format.
Right to the restriction of processing
Restrictions concerning specific principles and the rights of information, access to and rectification or erasure of personal data, the right to data portability, the right to object, decisions based on profiling, as well as the communication of a personal data breach to a data subject and certain related obligations of the controllers may be imposed by Union or Member State law.
Provide a mechanism; even if it is a way to submit a written request, to allow your users to opt-out:
2. What is HOC doing regarding GDPR and its role as a Data Processor?
At HOC we have always taken data privacy and protection very seriously, by meeting the industry standards by building our application on platforms, such as Salesforce and Azure, certified with industry standards, such as ISO 27001, SOC 2 Type 2, and EU-U.S. Privacy Shield, as well as compliant with GDPR.
Since HOC is a Salesforce App and HOC uses Salesforce as the primary data storage, we are fortunate that this effort is greatly facilitated because many of the Data Processor requirements are provided by and through Salesforce. To learn more about Salesforce’s GDPR compliance, please visit:
We are committed to addressing EU data protection requirements applicable to us as a Data Processor. To this effect we are:
- Identifying personal data: we have audited the default collection of personal data, as well as its usage, storage, and disposal.
- Providing visibility and transparency: As a Data Processor, HOC's key role is to provide our clients (i.e., Data Controllers) with the tools and access to effectively manage and protect their user data, as described in section 1 of this document.
- Enhancing data integrity and security: As our customers tighten their data security measures, we are doing the same, by implementing IT policies and procedures that provide end-to-end security.
- Portability and transferability of data: Leveraged by using Salesforce to comply with the user’s the right to either receive all the data provided and processed by the controller or transfer it to another controller depending on technical feasibility, as described in section 1 of this document.
Data Sub-processors used by HandsOn Connect
HOC uses several systems, technologies, and tools to deliver its services. We maintain the following list of sub-processors:
- Salesforce: Customer Relationship Management. United States.
- Microsoft Azure: Application hosting. United States.
- QuickBooks: Customer invoicing, payment processing and credit card processing. United States.
- Google Analytics: Application analytics. United States.
- Jira: Development issue tracking and reports. United States.
- Raygun: Error, Crash & Performance Monitoring For Web & Mobile Apps. United States.
- Logentries: Application Logs. United States.
- Zendesk: Customer support and documentation. United States.
- Hootsuite: Social media management. United States.
- All for Good (Points of Light): Volunteer opportunity aggregator and search. United States.
- Cabot Volunteer Rewards: Opt-in rewards program for volunteers. United States.
- Squarespace. Website host. United States.
If GDPR affects you, it will take some time and work to comply, if you haven't already. In the end, we believe that the GDPR is a positive for both individuals and organizations.
Although we cannot implement GDPR for you, If you have any questions contact us at [email protected] Remember to consult with your legal counsel.
Add your comment