Disclaimer: Quorum does not replace any specialised legal advice or designation within your organisation of a "Data Controller" or "Data Protection Officer".
This resource is provided for informational purposes only and cannot replace expert legal advice.
In May 2018, the General Data Protection Regulation came into effect.
This article is here to show you how the GDPR is managed in Quorum and what good practices we recommend you implement within your organisation.
The article particularly addresses the roles of super admin (organisation pack), admin, and staff members within the Quorum platform, because these roles are responsible for managing certain parameters on the platform (contact info, tags or keywords, surveys, status, etc.) and invite members of their teams to Quorum by assigning them a role, which may give more or less (if any) access to personal data (see the different roles in Quorum).
GDPR ON QUORUM
When collecting data ✍️
The data collection must be fair and lawful, carried out for specific purposes (a fundraising campaign, an NGO awareness campaign, a consultation, an electoral campaign, a political movement, etc.), explicit (you must express the context to your interlocutor) and legitimate. Moreover, the data collected must be adequate and not excessive in terms of your purpose, kept in a format that allows the identification of people, and for a period that is necessary for the purposes (subject to legal duration).
Every time you add a person, a survey, we remind your teams to clearly state the context of the collection with this "Pop Up".
We also ask you to confirm the person’s consent by checking a checkbox, which is not pre-selected, for each channel of communication (sms and email). Therefore, it is a consent per channel.
All the information then appears in the Quorum table which allows for each personal data to define and keep the information on: its origin (a file import, a survey, an addition), the time stamp (date and time), the consent, and the identity of the person who collected the consent or imported the data. You can then track the origin and evolution of personal data, their context, and the details of consent.
When sending messages (email) ✉️
Most of you use an external email system either by clicking on "Send Email" on the platform (people database tab); it is then your default email platform that is launched (outside of Quorum), or through one of our APIs (integrations) with Mailchimp, Mailjet, SendingBlue, or Nationbuilder. It is within these external platforms that the GDPR is managed and that there is a possibility of opting-out.
Automatic Quorum emails
You have an unsubscription system at the bottom of each email (opt-out system) that removes the email from the database.
You can also modify the footnotes of the email to supplement with context information.
You automatically have the "Stop SMS" function, which allows you to unsubscribe from the broadcast messages. However, depending on the nature of the message, you can remove this notice.
When importing your files 🗃️
You certify the origin of your files as indicated on this declaration.
The right of people to access, rectify, oppose, and delete files 📁
The person from whom you have collected data about them has a right of access to these data defined as the "right to ask to obtain information on the data held concerning them, as well as the purposes and transfers".
You then have 2 months to reply.
The person can request a rectification on the data or oppose a treatment or a transfer of these data unless the data is considered public or if a treatment meets a legal obligation.
▶️ To consult the data that you have on a person,
go on your contact database, select all of the columns of the export, and export all of the data which you have on the person (this is where you may also find old completed surveys, for example).
You can also contact our support team or our Data Protection Officer (firstname.lastname@example.org) to obtain this export of the table, which is a sort of personal data registry on the person describing the movements and treatments.
In the case where Quorum receives a request for access to personal data, not being the owner of the data, we promptly transfer the request to you.
Should you wish to permanently delete the data concerning a person (at the request of the person or on your own), all you have to do as an admin is to permanently delete the person's card from the contact database.
Look out! Only admins or super admins can do most of these things.
The portability of personal data 🛫
You own the personal data on the Quorum platform. As such, you must be able to export all of the personal data from your space at any time.
You can do this from the "contact database" space, as shown below.
Security & Privacy by Design at Quorum 🔐
Quorum implements a number of processes to ensure the security of personal data such as "containerization", the encryption of personal data or the limited access to sensitive personal data for “ad hoc members”, or also the regular purge of passwords.
Moreover, our interfaces integrate a number of barriers (which can sometimes be a bit annoying for some users, they are here to ensure the respect of the rules or the principles of people’s rights and private life).
For example: a member cannot return to a card or search for a card in the contact database from the mobile if he is a member, personal data can only be accessed in a funnel: each person - if she/he has access to personal data - only has access to it in the context of a precise and adequate use. Then, the application does not allow some parameter filters (such as one’s origin), or the addition of tag from a mobile (see the article) is impossible, etc.
Data processing or transfers 📮
You must also inform people about the treatments or eventual data transfers you may make.
▶️ A FEW TIPS AND BEST PRACTICES 👍
Best Practice # 1: Give your team proportionate access to information
There are different roles in Quorum. Some roles, such as “member”, do not allow access or very partial access (like “field organizer”) to personal data. Find details here.
Give proportionate access to information within your team and remember that a member of your team (even if she/he is a volunteer) is under the responsibility of your organisation. The analogy is the same as an employee with respect to his company.
This is reminded on the web platform during your first connections.
Other good practices: Do not forget to ...
- Change your password regularly
- Remove access to your members who have not been active for some time (you have access to the activity of your members in the "analysis" tab of the web platform) or who seem to you no longer belong on the app.
Best practice #2: As an admin, you get to set keywords or tags, status, questions... be careful to respect the rules!
You are the admins or super admins. With these great powers come great responsibilities. Particularly, you have access to your organisation’s parameters, from where you can define status (there are some by default), contact forms, surveys, or tags for your entire organization)
- Remember that the tags and fields you create must remain adequate and not excessive in terms of purpose.
- Remember to limit unrestrained fields and unrestrained comments for your teams so that there is no clumsy or illegal information in your database
- Think about raising awareness - like during Quorum trainings - about collecting and using data soundly.
Best Practice #3: Empower and make your teams accountable
- Remind your teams of the principles listed at the beginning of this article. They need to explain to the people they meet the context of their approach, why they do it, with which organisation/movement, and their consent.
- Do not force the hand of those who do not wish to enter the process of disclosing their contact information or answering your questions, it is totally useless.
- Mobilizing and engaging citizens has nothing to do with the accumulation of data but more with the relationship of trust that is built with the person.
Best Practice #4: Appoint a DPO (Data Protection Officer) and create a personalised email address made specifically to contact you for requests of personal data information.
- You can appoint a Data Protection Officer (or DPO) within your organization. He is the person in charge of making sure the rules relating to personal data are respected. Third parties can contact him if they have questions about their personal data.
We too, at Quorum, have a DPO: Julien. You can contact him at email@example.com.
- You can also create an email address regarding requests for information on a personal data. It is important to be pro-active in these steps to show your good will regarding the respect of the right of rectification, deletion etc.
In the end, it’s all about progress ✊
In the end, keep in mind that the use of a platform is much more virtuous than the old systems of paper or excel files that just keep piling up!
The software keeps the trace of the origin, the timestamp of the consent, the possibility of permanently deleting a contact (without dragging elsewhere), of centralising the data, thus of being able to fully inform an individual of all the data you have on them! The systems are much more transparent and virtuous than old practices.