Mautic and GDPR Compliance
Here are some basic guidelines for GDPR compliance in general. This information is not exclusive to Mautic, it applies to any company that wants to be GDPR compliant.
The basic data privacy rights of an EU citizen that we have to respect:
– The company is responsible for any data breach
– We have to obtain explicit consent to store and use data.
– Consent to store and use my personal data within or outside the EU.
– Inform users of where the data is stored
What is private is data for GDPR:
– Basic identity information such as name, email, address and ID numbers
– Web data such as location, IP address, cookie data and RFID tags
– Health and genetic data
– Biometric data
– Racial or ethnic data
– Political opinions
– Sexual orientation
Right to access (view) my data at any time (ALL OF IT)
– Right to access (view) my data at any time (ALL OF IT)
– Right to correct (edit) my data
– Right to be forgotten (delete)
Example Privacy Statement https://www.superoffice.com/company/privacy/
Practical UI implications for any software (including Mautic)
1) Add a GDPR consent (or simply a “privacy consent”) to all subscription forms.
2) Add a link to your privacy statement on every form.
3) Add a GDPR (or just “privacy”) TAB on the user’s profile (in the website)
IMPORTANT: All check-boxes in a form need to be manually checked by the user, no pre-checked fields are allowed.
In the privacy section, users must be able to see, edit and delete their personal information.
Never email people to ask them if they want to receive emails (unless they have already given consent).
Use popups on the website instead. Website contents are allowed as it is the user initiating the “conversation” there is no need for consent.
Database considerations: GDPR not only sets the rules for how to collect consent but also requires companies to keep a record of these consents
– Who consented
– When they consented
– What they were told at the time of consent
– How they consented (e.g., during checkout, via a Facebook form, etc.)
– Whether they have withdrawn consent and when.
We might want a specific GDPR table or GDPR fields where we store the following:
– User ID: We might use our internal user ID or just the email as an ID, however using the email has some consequences.
– GDPR Consent yes/no Consent to use my personal data
– GDPR Date Date the consent was given
– GDPR Contents Contents of the current agreement when consent was given (or a document filename (with versioning or date stamp))
– GDPR Location URL We can store the URL as a valid location
And to wrap it all up I got a question for you…
How do you keep track of people that do NOT want to receive messages from you if they delete all their data?
If you know the answer or have any ideas, please share it on the comments below.
A few interesting links: