The platform, and the products installed on it, provide a range of tools that let users manage their data.
The Right to be Informed
The best way to inform data subjects of their rights is via your privacy notice. This should include your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with.
Before writing your privacy notice you will need to know what personal data you are collecting. You'll also need to have processes in place so that when you launch new services your privacy notice is reviewed and updated.
A privacy notice article can be linked to from your site's header or footer, and you may want to link to it from each form you create that collects personal data.
The Right of Access
Individuals have the right to access their personal data.
Users can access their data via the My Account and User Requests templates. These templates display information about active and historic processes, like cases and bookings started by the user. You can set up User Requests to display data related to any (or all) process in the workflow engine and include additional history records should a form submission not start a workflow process.
Where a user has interacted with your website and submitted data while not logged into their account (or they don't have an account) you will need to implement a mechanism for users to directly request their data.
The Right to Rectification
Inaccurate or incomplete data should be rectified.
Users can update their profile data via the My Account template at any time. Individual products also provide mechanisms to rectify the data they collect, which would also be available via actions in a user's account.
The Right to Erasure
The Data Retention Manager can be integrated with My Account to allow users to delete data saved in the platform. The same tool can be used by your staff members to delete data on behalf of a user and set up retention schedules to automatically remove data.
The Right to Restrict Processing
Processing can be restricted when the data's accuracy is contested, the processing is unlawful, the data subject wants the data kept but the controller doesn't, or pending verification as part of an objection to processing. When processing is restricted, you are permitted to store personal data, but not use it.
Our products should only collect the data needed to provide the service the product delivers, which means the data you have should already be limited and only processed in the delivery of that service.
Where the delivery of a service is complete, historic data in the history service is already stored in a read-only state. Where data is part of an active case, that case could be placed on hold.
The Right to Data Portability
This right allows users to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
The Data Exporter is a tool platform administrators can use to extract history data in a standard format, including CSV and JSON.
Case Management has its own Export Case functionality which exports all data associated with a case.
The Right to Object
The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have an absolute right to stop their data being used for direct marketing.
Our products aren't designed to send out marketing emails and by design only send out notifications and communications directly related to the service you are providing.
Automated Decision Making and Profiling
Our products do not make automated decisions or perform profiling as defined by the GDPR.