Working towards GDPR compliance? Here's a tip on how to obtain constituent consent using CiviCRM

General Data Protection Regulation (GDPR)1 went into effect on May 25, 2018 in the EU with a global impact: any organization that has a web presence is required to comply with GDPR regulations if it collects personal data or behavioral information from someone physically located in the EU, regardless of whether or not a financial transaction takes place.

There are many checkpoints along the road to GDPR compliance, but first and foremost is to obtain constituent consent to keep the data that you currently have on file. The following method describes how to configure a profile in CiviCRM that will display the contact information on file for a given contact and give them the ability to update the information as desired.

Overall Process

Create & Verify Groups

  1. Create a smart group of individuals with addresses in the EU to which you will be sending the mass email with the checksum token to the profile:
    1. Navigate to Search > Advanced Search
      1. In the Basic Criteria section, select "Individual" in the Contact Type filter
      2. Scroll to find and click to expand the Address Fields section
      3. Select "Europe and Central Asia" in the World Region filter
      4. Click the Search button
      5. Select All XXX records (XXX represents the number of records that resulted from the search)
    2. From the Actions drop-down menu, select "Group - create smart group"
      1. Name the group "EU Contacts"
      2. Check the Mailing List check box
      3. Click the Save Smart Group button
  2. Create a regular group to capture those contacts who have updated their profiles:
    1. Navigate to Contacts > New Group
    2. Name the group "GDPR Respondents"
    3. Click the Continue button 
  3. Verify that the visibility of your mailing lists is set to "Expose Publicly" so your constituents will be able to subscribe or unsubscribe from these lists:
    1. Navigate to Contacts > Manage Groups 
    2. If you find that a mailing list whose visibility is "User and User Admin Only", click on the Visibility column to activate inline editing
    3. Select "Public Pages", then click on the check mark to save your changes

Create Profile

Detailed documentation on profiles can be found HERE. In the profile settings, indicate that the profile is to be used as a Standalone Form or Directory. Make use of the profile's Advanced Settings to add contacts who submit the form to the "GDPR Respondents" group that you created for this purpose, and you can also opt to be notified every time the form is submitted.

In addition to the basic contact information fields, your profile should also include communication preferences as can be seen in the sample screen shot below:

Note how the mailing list groups are displayed as a list from which multiple options can be selected - this list is generated by adding a field configured as follows to your profile:

Send it Out

Once your profile is fully configured, the easiest (and most noticeable) way to have your constituents review and update their contact information, communication and mailing preferences is by sending out a mass email with a link to the standalone profile using a checksum token (detailed instructions for which can be found HERE). 

Include it in Your Member Portal

If you are using CiviCRM as a member portal, you can also include the standalone profile as a menu item visible only to authenticated users (i.e. users who are logged in). In this way, constituents have the freedom to update their information and mailing preferences as needed.  

GDPR and CiviCRM

An extension has been specifically developed for CiviCRM that provides additional features to facilitate the ongoing GDPR compliance process. If you are a Cividesk client and you would like to learn more about this extension, please contact your account manager.

1.You may find the Ultimate Beginners Guide to GDPR Compliance in 2019 a valuable resource in your organization's pursuit of compliance.