The General Data Protection Regulation (GDPR) is an EU law that will be enforceable from 25th May 2018, and in the UK will replace the aging Data Protection Act. It is designed to both strengthen and harmonize data protection across EU member states, and is directly applicable to all organizations ‘established’ in the EU, irrespective of whether the actual data processing takes place in the EU or not. Even if not established in an EU country, certain organizations with substantial activities in the EU will need to comply with GDPR. Please refer to our infographic Could You Be Subject to GDPR? for further guidance on whether or not GDPR may apply to your organization. Such organizations that are subject to GDPR and collect, store or process personal data must comply with GDPR’s Data Protection Principles and other conditions of processing. New obligations on data controllers include expanded data subject rights, mandatory data breach notification, an enhanced focus on accountability and the appointment of Data Protection Officers. Personal data must still be processed fairly and lawfully, justified by one of six legal bases that have remained substantially similar between the Data Protection Act and GDPR, including with the data subject’s consent. Arguably the most significant change, however, is the requirement that a data subject’s consent to process their data must now be ‘unambiguous’ and given via a ‘clear, affirmative action’. The penalties are also set to change, standing at a maximum of €20,000,000 or 4% of global revenue; whichever is higher. For a more in depth discussion of GDPR’s operational effects, please read Blackbaud’s datasheet Important Impacts of GDPR. Undoubtedly, therefore, GDPR requires organizations processing personal data to implement significant operational reform. Blackbaud has designed the following solution functionality to assist our customers in achieving this reform.
In order to support the upcoming enactment of GDPR, functionality was added in this release to ensure organizations capture explicit consent from their constituents before communicating with those constituents by any channel, such as mail, email, or phone.
To support GDPR, a new consent solicit code type was added in Blackbaud CRM. When a constituent's consent is received, preference information and related details for the consent solicit codes are included on the constituent's record on the Communication > Preferences tab. In Blackbaud Internet Solutions, several changes were made to the Communication Preferences form to support the new consent solicit codes.
In this release, we've renamed the previous the Global opt-out option to Email opt-out to more accurately reflect the functionality and meet global email opt-out regulations for those customers who continue to use solicit codes.
The new Consent solicit codes element lists consent solicit code options, enabling constituents to explicitly opt-in or opt-out of a specific communication channel. You can configure which consent solicit codes to include on the form by using the Element tab in the Properties pane. Select Advanced properties, then specify the consent solicit codes from Blackbaud CRM you want to include on the form, the text to display for each code, and which codes require a consent selection.
On the General correspondence element, the No preference option has been removed. Previously, constituents who did not have a previously set choice in Blackbaud CRM had their email preference options set to No preference by default. Now, if constituents do not specify a preference to opt-in or opt-out, the message "A preference has not been selected" displays on the form. To change the message, modify the text in the No preference text row on the Elements tab.
The new Privacy policy element enables constituents to review your organization's privacy policy from the Communication Preferences form. You can select the privacy policy to include by using the Element tab in the Properties pane. Select Advanced properties, then either select the Blackbaud Internet Solutions web page or enter the URL where the privacy policy is located. On the Elements tab, you can also modify the text in the Header text row to change the header caption, and in the Privacy policy text row to change the link display text.
When constituents submit their consent preferences via the Communication Preferences form, those preferences are written to their Blackbaud CRM constituent record and display on the Communications > Preferences tab under Solicit codes. Consent solicit codes, consent statement, privacy policy, and more consent details are included on the record.
Two new settings — Do not email consent solicit code and Consent solicit code source— were added in Blackbaud CRM under Manage web transactions, Configure integration. You'll need to configure these settings before you can start capturing the consent solicit codes on the Communication Preferences form.
Similar to the Do not email solicit code setting, the new Do not email consent solicit codeconfiguration setting allows you to identify one of your consent solicit codes to use as your global email opt-out value. A global email opt-out value is required by Blackbaud to comply with international email compliance, including CAN-SPAM, CASL, and GDPR.
The Consent solicit code source setting is written to the solicit code record when new values are added from the Blackbaud Internet Solutions Communication Preferences form.