When GDPR went into effect on May 25, 2018, it meant a whole new focus on privacy and secure data handling. This article outlines some of the key tools and information you may need if your organization falls within the scope of this or similar regulations. (If you need more info on GDPR, please check out this introductory article.)
Searching for Individuals by Country
If the individual’s address has been explicitly set, you may use individual address country searches to create lists that isolate individuals who are in particular countries. (For example, the countries of the EU )
If the individual’s address has NOT been explicitly set, the individual will inherit from their organization. So if the organization’s address is in a particular area (i.e., the EU), then that individual will show as in the EU, even if they are not actually there. This can be a conundrum for trade associations, in particular, as individuals are often left to inherit address info from their company/organization.
In future releases of MatrixMaxx, we are considering a rework of the WWW-side Create Profile function to allow a user to signify their country of residence, which will either then save into an individual-level address or a specific demographic field. (Probably the former, so that it melds better with legacy data.) So even if the association doesn’t want to ask for full address, they can capture the country portion of the address.
Taking Individuals off WWW-side Rosters and Directories
If individuals contact the association to be off of certain lists or rosters, here are some tools …
- Associations can exclude individuals from the WWW-side member directory. This is a generic individual demographic field in the MatrixMaxx AMS product. (NOTE: during implementation, some clients opted NOT to make this field available on the WWW side, some have custom directories, and some asked us to remove this field altogether. If you are one of these clients and wish to revisit this setup, please contact Matrix for assistance.)
- Associations can already exclude individuals from the WWW-side committee rosters by tagging them as ‘silent’ members of the committee.
- Meetings staff may ‘Exclude from WWW-side Attendee Roster‘ at the registration level. This will allow staff to respond for individual requests to not be part of the roster.
The Right to be Forgotten
The Anonymizer function is available by request as of the 18.2 release in June 2018
However, if an individual contacts you and asks to be ‘forgotten’, you shouldn’t just click the proverbial button. This is a chance to open a conversation with this individual, learn more about why they want to be forgotten, warn them of possible negative repercussions, and perhaps help the association improve their future communications.
- The individual should first be offered a copy of their Personal Information (see below). Perhaps all that they really want to know is what you know about them. This would be a combination of the info in the MatrixMaxx AMS as well as any other systems in which you hold data.
- You should review the individual’s profile and warn of potential issues in being ‘forgotten’
- For example, their meeting history will be gone … could this be important for their access to presentation slides or CEU history
- For example, if they are actively on a committee, this action will effectively remove them from that committee … is this what they really want?
- If the individual still wants to be forgotten, the individual can then be Anonymized in MatrixMaxx AMS, first, as it is generally the master dB of record
- Any staff of the highest ‘siteadmin’ access level will be able to access the ‘Anonymize’ function from the individual record on the staff intranet side of the MatrixMaxx AMS
- This function is NOT REVERSIBLE. Be sure that you are doing this to the correct record and the individual has requested it.
- Then, you should handle deletion/anonymization in any other system (CMS, website, LMS, email system, marketing automation, forums, community, grass roots, advocacy, other 3rd parties, etc.)
Answering Requests for Information
If someone makes a request for access to personal data pursuant to Article 15 of the General Data Protection Regulation, they will first need to provide documentation necessary to verify their identity. As of 2018, such requests have up to one month to comply, as required under Article 12.
These are some of the questions that these individuals may ask, along with answers.
1. Please confirm to me whether or not my personal data is being processed. If it is, please provide me with the categories of personal data you have about me in your files and databases.
a. In particular, please tell me what you know about me in your information systems, whether or not contained in databases, and including e-mail, documents on your networks, or voice or other media that you may store.
* MATRIXMAXX RESPONSE: In the MatrixMaxx AMS, the Personal Information Report [Internal Matrix Reference MAXX-3221] provides the basic information for you to provide to this user. It is accessible to association staff from the report section of the individual’s record, on the MatrixMaxx intranet. Note: as the Data Controller, the association itself (you, our client) has responsibility for pulling together all other systems and documents that hold data for this individual.
b. Additionally, please advise me in which countries my personal data is stored, or accessible from. In case you make use of cloud services to store or process my data, please include the countries in which the servers are located where my data are or were (in the past 12 months) stored.
* MATRIXMAXX RESPONSE: All production MatrixMaxx databases are held in Amazon Web Services AWS US East, N. Virginia, Region (us-east-1). The current development database is currently housed at Matrix Group HQ in Crystal City, VA, in a limited access server room.
c. Please provide me with a copy of, or access to, my personal data that you have or are processing.
* MATRIXMAXX RESPONSE: In the MatrixMaxx AMS, the Personal Information Report [Internal Matrix Reference MAXX-3221] provides the basic information for you to provide to this user. It is accessible to association staff from the report section of the individual’s record, on the MatrixMaxx intranet. Note: as the Data Controller, the association itself (our client) has responsibility for pulling together all other systems and documents that hold data for this individual.
2. Please provide me with a detailed accounting of the specific uses that you have made, are making, or will be making of my personal data.
* MATRIXMAXX RESPONSE: This response will need to come from the Data Controller (i.e, our client)
3. Please provide a list of all third parties with whom you have (or may have) shared my personal data.
a. If you cannot identify with certainty the specific third parties to whom you have disclosed my personal data, please provide a list of third parties to whom you may have disclosed my personal data.
* MATRIXMAXX RESPONSE: This response will need to come from the Data Controller (i.e, our client)
b. Please also identify which jurisdictions that you have identified in 1(b) above that these third parties with whom you have or may have shared my personal data, from which these third parties have stored or can access my personal data. Please also provide insight in the legal grounds for transferring my personal data to these jurisdictions. Where you have done so, or are doing so, on the basis of appropriate safeguards, please provide a copy.
* MATRIXMAXX RESPONSE: This response will need to come from the Data Controller (i.e, our client)
c. Additionally, I would like to know what safeguards have been put in place in relation to these third parties that you have identified in relation to the transfer of my personal data.
* MATRIXMAXX RESPONSE: This response will need to begin with the Data Controller (i.e, our client), but may involve MatrixMaxx to confirm specific technology. This technology would have been documented in the original project (e.g., using CAS or Oauth for secure SSO, etc.), but the Matrix Help/Support team would be able to provide hourly support look up and verify this information for our clients, by request.
4. Please advise how long you store my personal data, and if retention is based upon the category of personal data, please identify how long each category is retained.
* MATRIXMAXX RESPONSE: The MatrixMaxx database has no automatic, time-based deletion of data, as many of our association clients have decades of history that is referenced for a variety of membership functions. However, records with no relevant transactions or associations may be deleted by association staff (i.e., our clients’ staff), and the new anonymization function may be used on any individual record in the database, and could thus be used to support any type of retention policy that the individual client association deems appropriate for their mission and industry.
5. If you are additionally collecting personal data about me from any source other than me, please provide me with all information about their source, as referred to in Article 14 of the GDPR.
* MATRIXMAXX RESPONSE: This response will need to come from the Data Controller (i.e, our client)
6. If you are making automated decisions about me, including profiling, whether or not on the basis of Article 22 of the GDPR, please provide me with information concerning the basis for the logic in making such automated decisions, and the significance and consequences of such processing.
* MATRIXMAXX RESPONSE: This response will need to come from the Data Controller (i.e, our client)
7. I would like to know whether or not my personal data has been disclosed inadvertently by your company in the past, or as a result of a security or privacy breach.
* MATRIXMAXX RESPONSE: To our best knowledge, the MatrixMaxx AMS servers have never suffered a security breach.
b. If you are not able to state with any certainty whether such an exposure has taken place, through the use of appropriate technologies, please advise what mitigating steps you have taken, such as
i. Encryption of my personal data;
ii. Data minimization strategies; or,
iii. Anonymization or pseudonymization;
iv. Any other means
* MATRIXMAXX RESPONSE: Currently, the MatrixMaxx databases store all staff/admin passwords as a 1-way hash. In the upcoming year, we will be (a) upgrading to store all passwords, regardless of level, as a 1-way hash for all clients, and (b) assessing an upgrade to full-disk encryption with our move to Ubuntu 18 operating system. Data Minimization Strategies would be determined on the Controller (our clients) side. Pseudonymization is not generally used within the association industry, and we are building an Anonymization function for use by individuals who wish to be forgotten.
8. I would like to know your information policies and standards that you follow in relation to the safeguarding of my personal data, such as whether you adhere to ISO27001 for information security, and more particularly, your practices in relation to the following:
* MATRIXMAXX RESPONSE: Matrix is compliant with the SOC2 security principle.
a. Please inform me whether you have backed up my personal data to tape, disk or other media, and where it is stored and how it is secured, including what steps you have taken to protect my personal data from loss or theft, and whether this includes encryption.
* MATRIXMAXX RESPONSE: All MatrixMaxx implementations serve from virtual Amazon AWS servers which are backed up nightly and retained for approximately 3 weeks.
b. Please also advise whether you have in place any technology which allows you with reasonable certainty to know whether or not my personal data has been disclosed, including but not limited to the following:
i. Intrusion detection systems;
ii. Firewall technologies;
iii. Access and identity management technologies;
iv. Database audit and/or security tools; or,
v. Behavioral analysis tools, log analysis tools, or audit tools;
* MATRIXMAXX RESPONSE: Matrix uses software applications to monitor system health, resource utilization, site down, changes to key files, potential unauthorized system and other potential system threats. Specific members of the IT team are alerted via email or devices.
9. In regards to employees and contractors, please advise as to the following:
a. What technologies or business procedures do you have to ensure that individuals within your organization will be monitored to ensure that they do not deliberately or inadvertently disclose personal data outside your company, through e-mail, web-mail or instant messaging, or otherwise.
* MATRIXMAXX RESPONSE: This response will need to come from the Data Controller (i.e, our client)
b. Have you had had any circumstances in which employees or contractors have been dismissed, and/or been charged under criminal laws for accessing my personal data inappropriately, or if you are unable to determine this, of any customers, in the past twelve months.
* MATRIXMAXX RESPONSE: This response will need to come from the Data Controller (i.e, our client)
c. Please advise as to what training and awareness measures you have taken in order to ensure that employees and contractors are accessing and processing my personal data in conformity with the General Data Protection Regulation.
* MATRIXMAXX RESPONSE: We have been proactively advising our clients (the Data Controllers) of our research and progress into the upgrades and tools necessary to support new privacy regulations such as GDPR. In addition to general Matrix information, the MatrixMaxx Help/Support center contains information regarding approaches and responses to GDPR and privacy/data access tools
The Use of Cookies
The Matrix Group previously published this article, which outlines how MatrixMaxx has documented all Cookies – both essential and non-essential – in use by MatrixMaxx so that this cookie information will be easily accessible to you as the Controller for use in your Privacy and Cookie policies.