This article discusses the General Data Protection Regulation and options for compliance within Terra Dotta.
Overview
The General Data Protection Regulation (GDPR) was adopted by the European Union (EU) Parliament as a measure to strengthen and protect the personal data of individuals within the EU. This data includes personally identifiable information (PII) that is collected and stored by websites and web service providers.
The GDPR requires that companies receive consent from a user before collecting and storing any PII about that user. The GDPR also grants site users specific rights in regards to how their data is used.
In order to comply with this regulation, Terra Dotta (TD) has included a step in the new user creation process that prompts the user to give consent for TD to collect and store their personal information to the website. The user must take explicit action to authorize this data collection.
Administrators can enable or disable this setting and edit the consent message displayed to users.
Settings
The "GDPR Consent" setting can be found by navigating to Settings > System Features > Administrative and scrolling down to the "Consent" section.
This setting is enabled by default for sites created after May 2018.
Enabling this setting will activate the step in the new user creation process that displays a consent screen before PII is collected (see below). This setting will also affect existing users by presenting the consent message upon their first successful login after the setting is enabled. Prospects will be presented a different consent message at the bottom of the prospect inquiry form.
Important Note: Site users belonging to any permission group in Staff > Staff Permissions will not be required to provide consent. This includes administrators, staff members, recommenders, and reviewers.
Configuring Consent Messages
Terra Dotta provides default text for the consent messages displayed to site users and prospects. These messages will appear under Settings > Account Info only if the "GDPR Consent" setting has been enabled on your site.
Clients are encouraged to use the WYSIWYG editor to edit the default text so that these messages best align with your office's needs. Client best practices include supplementing with language developed and/or approved by a university's risk management or legal office.
Note: The "GDPR Consent Form" header that is displayed to users (seen in the image below) can be edited by a user with Maintenance permissions using text interface field #10128.
Site Visitor View
Important Note: For sites with the Applicant Experience Login enabled, the GDPR consent screen will appear from the required information page. See the "Creating a New User Account" section of the Modern Applicant Experience Login Knowledgebase article for more details.
New and Existing Users
The messages configured in the "Applicant Consent" section of Settings > Account Info will be displayed to all new users on the site before they are able to create a profile and to any existing user the first time they log in to the site after the GDPR consent setting is enabled. They will be required to click the checkbox to the left of the text then click the "Submit" button before they are allowed to proceed further. This also applies to any user for which an administrator has created a profile on their behalf or when a prospect record is converted to a profile by an administrator.
For a New User:
For an Existing User:
Prospects/Prospect Inquiry Form
The message configured in the "Prospect Consent" section of Settings > Account Info will be displayed to any user who accesses the site's prospect inquiry form. They must click the checkbox next to the message before being permitted to send their prospect request. Consent must be given each time a form is completed. As mentioned above, the user will need to provide consent again (with the applicant consent message displayed) if their prospect record is converted to a profile.
Failure to Consent/Refusing Data Collections
Any new user who does not respond to the consent message will not have data collected about them, and they will not be permitted to proceed further until consent is granted.
Existing users are already logged in and have already provided data when the consent form is presented. They will not be blocked from directly accessing other site pages, but they will have the opportunity to provide consent again any time they attempt to log in to the site in the future.
If an existing user wishes to have their data removed entirely, then your office should submit a Support request. Terra Dotta can assist you with this action.