Important: This article is not legal advice, nor an exhaustive guide to GDPR compliance. If data protection regulations are applicable to your program you should familiarise yourself with the regulations and seek legal advice where necessary, particularly if your program is collecting personal data.
The EU’s General Data Protection Regulation (GDPR) has taken effect and Award Force is fully behind the spirit of these regulations for a safe and secure internet.
We embrace privacy by design and this is why we packed Award Force full of features to help you ensure your program participant data is not only safe and secure but stored and processed in accordance with the General Data Protection Regulation.
A quick refresher on terms:
Dave is an entrant in your program and is located in Europe.
In terms of GDPR, he’s called the “data subject,” and your organisation is called the “controller” of that data.
If you are an Award Force customer, then Award Force acts as the “processor” of Dave’s data on behalf of your organisation.
With the introduction of the GDPR, data subjects like Dave are given an enhanced set of rights, and controllers and processors like your organisation and Award Force, an enhanced set of regulations.
Complying with GDPR may not be relevant for you— in any case, we still encourage best-practice protection of personal data wherever you are. There are likely to be other data protection laws that do apply to your organisation.
How exactly does Award Force protect you and your participant data?
- New users will be required to tick a box when registering, that they agree to the terms.
- Existing users, when they next log in, will be asked to agree to the terms.
Consent to receive notifications and broadcasts
Image: An example of what consent looks like on the registration form
Again here, program managers can obtain explicit consent from users to receive automatic / bulk communications.
- New users can optionally tick a box when registering, that they consent to receive notifications and broadcasts
- When existing users next log in, they will be asked to consent.
All broadcasts and notifications sent from Award Force include a link in the email footer to “Unsubscribe from our emails”. This link takes the recipient to a preference centre on their account.
There is also an article in the preference center, that explains to users the importance of your broadcasts and notifications which will help them to understand exactly what they are and are not opting into.
Cookie notice and consent
Image: The Award Force cookie bar
With this feature activated, users that have not made a cookie consent selection will be shown a “Cookies in use” message at the top of the page, with an option to “Allow cookies”. Users can change the cookie consent option at any time by going to the Preferences tab on their Profile.
You may also choose to modify the default consent text by going to Content > Content blocks and clicking on Cookie notice to edit.
Image: A user record with their consent records
Fields containing personal data
Image: Settings that can be applied to any field in Award Force
Program managers can now add additional data protection to any field within Award Force. There are 3 levels of protection that can be assigned:
The European Union General Data Protection Regulation (GDPR) requires that data controllers (that’s you) and data processors (that’s Award Force) implement state-of-the-art measures for the protection of the personal data of all natural persons located in Europe. The data protection option on fields is one measure to help with compliance and serves two purposes:
- The data protection setting on fields provides you a clear record of personal data that you are collecting (in the fields list view, you can filter by data protection level or add a column for this visibility).
- Setting Elevated or Maximum security provides additional layers of (state-of-the-art) technical protection on those fields, explained further below.
The right to be forgotten
Image: User deletion from the user record
Under GDPR and other data protection laws, data subjects (your users, like “Dave”) have the right to erasure, also known as the ‘right to be forgotten’. A user has the legal right to ask you for their personal data to be permanently deleted from your records, which you must action. Users are not able to action this permanent deletion themselves, but you can permanently delete a user from Award Force on their behalf, and even download a nice “Certificate of deletion” to provide as formal proof of the erasure.
Data Protection Addendum
If you’d like to be an Award Force client (smart call) and you control data of subjects located in the EU, you’ll need to have a Data Protection Addendum in place with us. With respect to the handling of personal data in your account— under GDPR, your organisation is the data controller and Award Force is the data processor. Article 28 requires a contract that binds the processor (that’s Award Force) to apply appropriate data protection measures when processing data on behalf of the controller (that’s you).
For your convenience we have a Data Protection Addendum prepared. Email us at any time and we will send you one.
These new features represent a lot of hard work and dedication to ensuring our mutual compliance with the GDPR, however, they also represent an exceptionally positive philosophy, which is to provide a better, safer and more transparent experience for our users and clients.
As always, if you have any questions about the implementation of these settings, you can find more information in our support center or by getting in touch with one of our client success team on firstname.lastname@example.org