The text in this article may include ControlShift's interpretation of the GDPR and/or interpretations we've heard from other organizations. This article should not be considered legal advice. Please seek independent legal counsel to ensure your compliance with the new regulations.
Article 17 of the GDPR establishes a "Right to Erasure," which grants the data subject "the right to obtain from the controller the erasure of personal data concerning him or her without undue delay."
Data Deletion in ControlShift
There are a few ways that ControlShift supports a user's right to have their data deleted.
First, for members with full user accounts, we allow the user to delete their data without staff intervention. Users with full accounts can log into the platform, go to My Account, and click the red Transfer organisational role and permanently delete my account button.
If the user has created any petitions or events, these assets will be automatically hidden and reassigned to an admin. Admins will then need to take action if they'd like to make these assets visible again.
Please note: in order for this deletion option to be available to users who have created assets, there must be an admin assigned to take over these assets. Organizations can choose the admin who will be assigned to these orphaned assets by going to the admin homepage > Settings > Options > Membership > Organisation admin to take over petitions if user is deleted or requests deletion. If no admin is selected in this dropdown, users will only be able to delete their accounts if they have not created any petitions or events.
Admins can also delete a user's platform information by going to the admin homepage > search for the relevant email address from the search bar at the top of the page > go to the user's page > Details > Delete Member. If the user has hosted any events or created any petitions, then the admin will need to choose an admin to take over these orphaned assets.
Finally, depending on your organization's technical capacity, you can also use our Authenticated REST API endpoint to delete member information. More information can be found in our developer documents.
While this article explains how to delete a user's information from ControlShift, it's likely that any given user will have also interacted with your organization through another channel. When a user requests the deletion of their information, you'll likely need to delete their information from your organization's other systems, like your CRM. Therefore, your organization may need to consider workflows that will ensure a user's information is deleted promptly and correctly.
As your organization is considering workflows to limit the processing and storage of Personally Identifiable Information, you may wish to also look at our anonymization features.
The GDPR has numerous requirements and hefty fines for non-compliance. The information included here is not legal advice, and we strongly recommend that all organizations using ControlShift seek legal counsel to ensure that they comply with the GDPR and all relevant laws.