Skip to main content
GDPR compliance with Hearken

What you need to know about GDPR and how your organization can be configure your EMS to be compliant.

Support avatar
Written by Support
Updated over 4 years ago

Topics covered

  • GDPR overview

  • Configuring the form embed

  • Configuring the poll embed

  • Data requests and deletion

What is GDPR?

It’s a new EU Regulation to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organizations who collect or process personal data.

Our role: Hearken is a Data Processor

GDPR is designed to protect EU citizens and their data, and there are two main parties who handle data that must comply in a variety of ways: the Data Controller and the Data Processor.

For the purposes of GDPR, Hearken is a Data Processor. We use some sub-processors that handle data, too (Heroku Services and Amazon Web Services store and process data). All data is securely stored encrypted at rest in compliance with our data retention policy. Hearken provides mechanisms for customers to integrate with third party services (E.g., MailChimp, Slack), as well as export data via CSV.

Your role: Does my organization need to do anything to be GDPR compliant?

If your newsroom serves EU citizens, yes! We recommend you reach out to your manager or your organization’s lawyer to learn how GDPR applies to your organization. In the context of GDPR, your organization is the Data Controller.  

What changes has Hearken made to allow my organization to be GDPR compliant in our use of Hearken?

  • We’ve updated our Privacy Policy and Terms of Service

  • We have added security and protocols in place in the event of a data breach

  • We’ve added another layer of encryption to the data that the participating public gives your organization

  • We’ll be able to delete the public’s data they’ve provided your organization at your request (details below)

  • The Hearken Engagement Management System (EMS) will have some cool new features, including the ability to request consent from the participating public (see below)

Configuring your Hearken EMS to be GDPR compliant

The only tools in Hearken that will require updating to be GDPR compliant are: the Form Embed and the Poll Embed. Those are the two points in which you collect data from the public.

Configuring the Form Embed

If this is your first time creating a Form Embed, please see the article Create and Edit a Form Embed for more information. The following is specific as it relates to configuring fields related to GDPR compliance.

GDPR requires that data subjects (aka the participating public) give what’s called “affirmative consent” when they are submitting information (such as a question, email address, postal code, etc).

To make your embeds compliant with GDPR, you must allow the data subject (audience member) to affirm consent for the way your organization will use their data in performance of your services. You can allow for affirmative consent on on an embed-by-embed basis. (If you’ve set up an embed to be GDPR compliant and would like to create a new one with the same settings, simply copy of that embed and adjust any other fields for the new use.)

Embed fields

Collect email. Leaving this as a required field is recommended. It's incredibly valuable to be able to follow up with your question-askers, whether it's to get clarity about their question, let them know you've answered it, or even invite them along while you find the answer. However, depending on the data collection laws in your country, or if you are doing an unusual prompt, there is the option to make the email field optional or disappear altogether.

Collect custom field. Use this field to collect one more piece of information from your question-askers. This field is commonly used to collect neighborhoods or postal codes, but you can customize it to collect any kind of information you’d like (e.g., phone number, age, job title, etc.) and this is also the field to use for GDPR compliance.

We’ve enabled this field to either act as a spot for a user to type text into (e.g., postal code), or to act as a checkbox, like in the following case, to agree to the privacy policy of your organization.

For GDPR compliance, configure a custom field as a Checkbox and make it Required.

In the “Name” field, type in your message that you need the user to agree to for your organization to be GDPR compliant. Important: this field can accommodate HTML to create hyperlinks, so you may add in a link to your organization’s privacy policy within the text the user sees.

Example text for Custom Field:

I consent for this organization to use the data I've provided in accordance with their <a href="http://www.yournewsroom.org/privacypolicy" target="_blank">privacy policy.</a>

If you’re unsure about what language to use for your organization, contact your organization’s legal department. As a Data Controller under GDPR, your organization is responsible for notifying the end user of how you will use the data they provide.

Alternatives to hyper-linking to a privacy policy

You may also create multiple Custom Fields and make them required checkboxes for the user to affirm their consent to the ways you intend to use their data submitted. Simply select add custom field to add more checkboxes. 

Example below of 2 specific and required custom fields.

User Experience: Error message

When these two fields are configured, the user will not be able to submit their information without consenting to the terms you lay out. They will see an error message, and will have to check the box to submit their information.

Opt-in checkbox. This feature lets your audience opt in to further communications from you (e.g. newsletters, subscription information, etc). Enter in the field below ("Opt-in text") what it is that you're inviting your audience to do. You can choose whether or not this checkbox should be checked by default. Since GDPR requires consent, uncheck the “Opt-in is checked by default” box. This means users must check the box if they’d like to opt-into whatever you’re offering. 

Note: Form embeds’ “Name” and “Email” fields are blank by default. But if you have a website where users log-in, and they come to a page with your form embed after already having logged in, it would be convenient to have these fields already filled in. Read how to auto-populate the Form Embed's Name and Email fields here.

One other space you can configure and add links to for explaining how your newsroom will use data provided is the footer section. In this image below, see the user view of our partners Lancaster Online

Users do not need to provide information in order to vote on Hearken polls. They do have the option to provide their email address after voting to be alerted if the question is answered.

Select Poll Embeds on the left menu and then select the embed you would like to make GDPR compliant.

Once you’ve selected the embed you’d like to configure, look in the Settings view on the right side of the page and scroll down to After voting view. The following three starred sections are what you’ll need to configure for GDPR compliance.

Collect email. If you’d like to collect emails after a user votes, you must select this checkbox.

Collect email prompt. To be GDPR compliant, you must explain in clear terms what you will do with their email. E.g., “To be alerted if the story you voted for gets reported, enter your email below. We will only use your email for this purpose.”

Show opt-in checkbox. If you’d like to allow people who have voted to opt-into further communication (E.g., a newsletter), select this checkbox.

Opt-in is checked by default. Leave this checkbox unchecked. This means the user must affirm consent to opt-in.

Footer

As with the form embeds, you can configure the footer section to explain or link to privacy policies or additional information about how their data will be used. Below is an example from Lancaster Online.

User experience

Users are not required to submit their email after voting, nor are they required to opt-into a newsletter or additional information. So if they choose to do neither, no data will be collected and there will not be an error message.

Once you’ve selected the embed you’d like to configure, look in the Settings view on the right side of the page and scroll down to After voting view. The following three starred sections are what you’ll need to configure for GDPR compliance.

Providing data to the data subjects and deleting their data

GDPR gives data subjects (E.g., the users interacting with your organization via Hearken) the right to request the data that’s been collected from them and to have it deleted. If anyone from the participating public would like to see or delete the data collected via Hearken, simply reach out to us at privacy@wearehearken.com and we’ll work with you to provide them their information or show that it has been deleted.

Any further questions about GDPR, please reach out to us: privacy@wearehearken.com

Help documentation may be periodically updated as we work to continuously improve user experience.

Did this answer your question?