The Jadu Blog

The Jadu Digital Platform and the GDPR

Written by Andy Perkins | December 1, 2017 9:30:00 AM Z

The General Data Protection Regulation (GDPR) will apply in the UK from 25th May 2018, and the government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

In preparation of meeting the requirements of GDPR, Jadu are undertaking work in our all of our products. We are working in partnership with a number of our existing customers to define the related features or enhancements required to provide GDPR compliance.

The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the Data Protection Act (DPA):

  • The right to be informed
  • The right of access
  • The right of rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights related to automated decision making and profiling

 

The right to be informed

In order to meet the “right to be informed” requirement a privacy note should be provided to individuals detailing how their data is to be used. A privacy note can be easily created and maintained using the tools provided by Jadu Central, or embedded directly within form content as necessary. Improvements are also planned for allowing the customer to see how the data that they provide on account registration will be used.

 

The right of access

To meet this requirement individuals should be able to access their personal data, see a privacy notice and receive confirmation that their data is being processed. The account functionality within Jadu Central and Connect provides individuals with the personal data stored by the system that relates to them. This includes details of forms they have submitted and cases they have opened, along with personal details such as the address associated with that account. This is a secure self-service system which provides individuals with direct access to their information once logged in.

Where Central forms have been setup to allow anonymous submission, individuals do not need to be signed in, and form submissions are not associated with a user account. As the submission is not associated with an account it therefore cannot be re-accessed by the individual via a self-service / MyAccount homepage. Under these circumstances, details of form submissions would instead need to be retrieved by a customer services operative using the form submission reference that is provided to end users (usually provided on the forms ‘Thank you’ page or emailed receipt - both of which can be content managed). Whilst needing to be manually collated under these circumstances, this would allow for you to meet the right of access provision.

Where an individual has an online account they can access their cases and associated data through their MyAccount page via the My Cases widget or through links to their case in email notifications received. All data fields that the customer may wish to see must be given visibility for the ‘citizen’ user role.

Where the individual does not have an online account, staff will be required to search for the relevant cases to which the individual is requesting access. Once the individual’s case(s) have been identified they can be invited to sign up for an online account which will give them access to their case data.

 

The right of rectification

Individuals are entitled to have personal data rectified where it is inaccurate or incomplete. The account functionality within all Jadu products provides individuals with a secure self-service system to update their stored personal details. A workflow for updating title, date of birth, phone number and address can be created within Connect, with further development planned in this area.

Corrections to past form submissions would need to be provided as a new / follow up form submission to meet the right of rectification as the user has no self-service facility to recover ‘their’ forms submissions. This process may need to be explained within form instruction text to the end user as necessary, as well as being reviewed in regards to your internal business processes so that customer services are aware of what needs to happen with newly received data. This could include the addition of routing logic based questions within the Central forms structure, such as “Are you submitting a new XYZ or updating us with new details?”.

 

The right to erasure

This is also known as “the right to be forgotten” and is essentially the right of an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

Jadu Central provides a delete account feature within the Control Center (for use by such as Customer Services). Further development will be undertaken to provide this feature to users directly on their account page. Data retention policies are already in place to remove data on login frequency.

Jadu Central provides data retention policies functionality that can be targeted at registered users only, unregistered users only etc to allow these to be managed independently. Improvements to be able to remove a specific user's form submissions are planned and will be available in advance of the regulation changes.

Jadu Connect customers are already provided tools for compliance. Rules can be used to remove data from case fields and online user accounts can be deactivated etc. Further improvements are planned for the process by which a customer’s data can be removed upon request, as well as being able to set data retention policies for data that no longer needs to be held (rather than being rule controlled as described above currently), whilst retaining non personally identifiable data for MI & reporting purposes.

 

The right to restrict processing

Under GDPR when processing has been restricted, you have the right to store the personal data, but not process it further. You can retain just enough information about the individual to ensure that the restriction is respected in future.

We are working to establish what impact this requirement might have across our products.

 

The right to data portability

In brief, the right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.

Development is being scoped to allow users to extract case data related to an individual as a CSV file, as well as allowing a report of forms submitted by an individual to be run and made available as a CSV file.

We are working to establish whether further data should be provided in a portable format from across our products.

 

The right to object

Individuals have the right to object to direct marketing and processing for the purposes of scientific/historical research and statistics.

Jadu Central allows individuals to indicate that they do not want to receive marketing emails from the organisation while registering, and this can be updated at any point via the secure self-service area. Marketing emails sent by Jadu Central include an unsubscribe link that also updates their account preferences accordingly.

Further improvements are planned in Connect to make it easier for customers to unsubscribe from email notifications and for customers using Connect to fulfil requests and tasks that relate to customer data.

 

Rights related to automated decision making and profiling

GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without any human intervention. At present, Jadu Connect and Jadu Central do not contain automated decision making, only data based rules and routing within Connect for potential routing of submitted data. We will however keep this user right in mind as part of future work we are undertaking in the areas of Machine Learning & Artificial Intelligence that we have showcased at recent Jadu Academy user groups.