The European Union's General Data Protection Regulation (GDPR) protects the fundamental right to privacy and the protection of personal data. The GDPR came into effect on May 25, 2018, and introduced robust requirements that have raised standards for data protection and security. It applies to organizations worldwide that encounter any persons from the EU. Non-compliance results in massive fines.
Granicus and EngagementHQ comply with the GDPR and allow you to ensure you comply as well.
To understand your responsibilities, you must understand your role in GDPR compliance.
You are the Data Controller
If you use EngagementHQ or any other online engagement platform, you are the Data Controller. As the Data Controller, you are responsible for the protection of your community’s personal data. You must ensure that you have confidence in how your organization and the tools and platforms you use process and protect personal data.
Granicus is the Data Processor
As EngagementHQ is a Granicus product, we are the Data Processor. We are responsible for ensuring that you and your community have the tools necessary to shape their data processing as they see fit and ensure the security of processed data.
Your Community Members are the Data Subjects
The individuals whose personal data is collected are the Data Subjects. The GDPR focuses on ensuring that the rights of data subjects are protected through adequate data consent and access rights.
EngagementHQ and GDPR Compliance
Explicit consent is built into EngagementHQ, allowing the collection of personal details.
We are equipped to handle your data subjects' requests for access, correction, porting, restriction, or deletion as per your policies.
We only store anonymized data for benchmarking, so we do not have to store your community’s data beyond the duration of our agreement with you.
Participants can access and edit their profile with a link.
Our Information Security Management System is certified ISO 27001, guaranteeing that appropriate technical and organizational measures are in place for the protection of your data
Granicus is equipped to support Data Processing Agreements (DPAs) that meet GDPR Requirements (for EU clients).
You are able to update the Privacy Policy on your EngagementHQ website to match your organizational policies.
We are ready for any data subject requests authorised by you via our helpdesk, support@engagementhq.com
You can contact us with any further questions around the EU GDPR by emailing support@engagementhq.com
FAQs
Does Brexit mean that GDPR will not apply in the UK?
Following the withdrawal of the UK from the European Union, the UK-GDPR came into effect to protect the privacy and personal data of UK citizens and residents.
Does GDPR only apply to organizations within the European Union?
No, organizations without a presence in the EU are still subject to the GDPR if they process data connected to individuals living in the EU.
What is a Data Processing Agreement, and do we need one?
Under the GDPR, Data Controllers may only work with Data Processors that provide "sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the Data Subjects."
Data Controllers are obliged to enter a written contract, the Data Processing Agreement, with each Data Processor they work with.
Broadly, the content of the Data Processing Agreement must set out the subject matter and duration of the processing, the nature, and purpose of the processing, the type of personal data to be processed, the categories of data subjects, and the obligations and rights of the controller.
How can we remove a participant’s data?
You can do so by emailing our helpdesk at support@engagementhq.com.
We will only remove a participant’s data when authorized by you to ensure that this meets your organizational policies. We will never act without your explicit permission.
Please be aware that once removed, these participants will not show up on the Participants page and their contributions will be completely erased within the system with no possibility of reversal.
Is there any way to delete a participant’s responses?
Yes, we can delete participant’s responses. Please request this by contacting our support team.
Please note that we will only do so when authorized by you to ensure that this meets your organizational policies. We will never act without your explicit permission.
Does Granicus use sub-processors? Which ones?
To make EngagementHQ work most effectively for our clients, we utilize a range of third-party services (also known as sub-processors) for diagnostics, performance management, hosting, support, and other specialist functionality.
We have ensured that all the sub-processors we work with have robust security measures, supported by one or more internationally respected data security standards such as ISO 27001/17/18, SOC 1/23, Cyber Essentials Plus, CSA, etc. We have also put data processing agreements (DPAs) in place with each of them.
The list of all third-party service providers used to support EngagementHQ is available on this help center. Each service provider is listed with a brief description of what the service does. If you would like access to more detail including data shared and compliance details of each of the services listed, please do not hesitate to email us.
Contact our support team if you need any further assistance via chat or email support@engagementhq.com