What is “General Data Protection Regulation,” and how does it affect us?

Rachel Wentink March 2, 2018 iCarol, iCarol Features, Enhancements, and Updates

You may have heard of something called the GDPR, which comes into force May, 2018, and might be wondering what it stands for, and what it means. While my personal favorite for the acronym is Grateful Dead Public Radio, an Internet station located in Baltimore, Maryland, in this context, GDPR actually stands for General Data Protection Regulation.

What is the GDPR? A regulation which will be enforced in the European Union (EU) starting on May 25, 2018. It will broaden the definition of personally identifiable data and will strengthen enforcement for its handling. It also gives individuals (called “clients” in this blog, in GDPR documentation referred to as “data subjects”) the power to request copies of any personally identifiable data you track about them, and the power to ask that it be removed from your system.

Before I move to specific details about the GDPR, let me cite a best practice, true for any country on the planet. If your organization doesn’t need your clients’ personally identifiable data for your business processes, don’t ask it and don’t log it even if it is offered. Use shredding (described later in the blog) to remove personally identifiable data after a set period if this practice aligns with your business process. (See the Data Minimisation section below).

iCarol customers own their data 100%. We, at iCarol feel very strongly that any organization should have the right to access their own data. We, as your data stewards, bear some responsibility in ensuring we process only the data to which your clients give permission, and that we both need to put processes in place to keep it secure. At all times, you have the ability to export your data and can delete or modify the personally identifiable data about your clients.

Locations affected: Some have asked us if they are affected by the GDPR even if they are not in the EU. If you work with clients in the EU, then yes, you must adhere, even if your organization is located in North America, or any other location outside the EU.

Location for data storage: Does the GDPR require personal data from clients in the EU to stay in the EU? No it does not. There are no new restrictions on the transfer of personal data outside of the EU. However, there should be more central coordination in place to oversee data activities, and there are rules regarding the following areas:

Consent: You must explicitly, in a very clear manner, ask for consent to track any data about the client. You’ll need to explain what you’d use the data for. We strongly recommend you add a question to your contact forms, also referred to as call report forms, if you don’t today indicating the client has given consent. Since you can add guiding language to a contact form, you might consider wording the question as your legal team specifically suggests, and make sure your volunteers and staff ask it exactly as worded. If you use chat or text, use the pre-chat or pre-text survey to explicitly ask the question.

Data Minimisation: Organizations can collect only the personal data that is adequate and relevant to the intended purpose. As we stressed above, if you do not need personally identifiable data from your client for your process, do not ask it or log it. For instance, if you do not need a social number or other uniquely identifiable data, don’t ask it and log it thinking you might need it later.

Accuracy: The data about a client must be accurate, which means it must be kept up to date if it is retained. Your client has the right to ask for changes if they feel data is inaccurate. Rights to edit submitted contact forms, also known as contact records, can be granted to iCarol volunteers and staff, or your iCarol Administrator(s) can edit the record. Administrators also have the right to edit client profiles, as can volunteers and staff if you grant them the rights.

Retention of data: Personal data must be kept only for as long as it is needed to fulfill the original purpose of its collection. Since iCarol provides a “shredding” feature to remove personally identifiable data within your logged records, we strongly suggest considering deploying that feature. If you’re unfamiliar with the feature, please see the section below on it.

Security of the data: There are a variety of ways to secure the data. iCarol takes the security of your clients’ data very seriously. While the GDPR does not require encryption, personally identifiable data is encrypted within iCarol “in transit” (when it is traveling from a volunteer or staff member’s device to our servers in the data centre), and “at rest”, when it is saved in the database. A number of other security provisions are also in place to protect the data. Should you need more information on this area, please contact me at to schedule a conference call.

Data Access: As noted above, your clients have the right to ask for transcripts of any of their personally identifiable data which is logged in iCarol. You may print out logged records and print them to PDF. We strongly suggest sending them in an encrypted email, or storing them on a secure FTP site for your client to log into to retrieve them. Later this year, iCarol will release the ability to password protect the PDF. You’ll also want to share with them any profile data you may have stored about them, which is accessible by exporting client profiles, which is available to any Administrator of your iCarol system.

Right to Erasure: Your client has the power to request erasure of their data in your system. It’s important for you to devise a business process on how to handle an erasure request from a client. Using iCarol’s shredding feature can assist in ensuring that very little personally identifiable data exists in your system, and using the search feature for contact forms and profiles can enable you to find it very quickly. iCarol Administrators have the right to delete submitted forms and client profiles.

What is Shredding? Shredding is a feature within iCarol which removes personally identifiable data within contact records. Phone numbers, addresses, names, and any data in a text field is removed from the database when it is shredded. An example of what appears in place of the data is shown below:

iCarol Administrators can turn the feature on in the Admin Tools/Calls tab of iCarol, which schedules the automatic shredding. We already have a range of timeframes you can select in order to shred the data, based upon the age of the contact record. Shredding allows you to maintain the data in dropdown and checkbox questions in your submitted contact forms for reporting purposes, while protecting data privacy for your clients.

As mentioned above, we at iCarol take the security of your data very seriously, as we know many of you work with subject matter that is highly sensitive and which must remain private. We provide the tools you’ll need to protect that data for your clients, to give both you and them peace of mind.

iCarol response to WannaCry Ransomware attack

Neil McKechnie May 16, 2017 iCarol

On Friday May 12, 2017 we were notified by Infrastructure Engineers that a massive global attack was underway which had already infected hundreds of thousands of computers and servers worldwide. This attack was known as the WannaCry virus and it targeted a vulnerability in Windows-based operating systems by encrypting the contents of a hard drive and any shared drive that computer was provided access. To decrypt the contents and return the hard drive back to a normal state, users were presented with a message demanding a ransom payment in Bitcoins, a virtual online currency that is difficult to trace.

Microsoft had recently released a patch to secure this vulnerability, which we had scheduled to deploy with our next patching cycle on June 11, 2017 after validation in our labs. However with news of this attack and following the recommendation from Microsoft Support and our Infrastructure Engineers, we acted swiftly and began the patching process of our external perimeter servers, considered to be at the highest risk of being targeted. By the end of the day Saturday May 13^th, our exterior perimeter was secured in our production environments. We continued the process Sunday May 14^th to secure our Disaster Recovery sites and by the end of the day Monday May 15^th we completed the securing of our desktops, internal application and database servers. Following these actions, we can confidently say that all servers have now been secured in the iCarol infrastructure against the WannaCry virus.

Guidance for our users

We advise all of our users to be sure you stay up-to-date on browser and operating system updates on your machines. If you are running a Windows-based operating system please be sure to run the latest updates (Control Panel > Windows Update > Check for Updates) to make sure you pick up the latest patches and protect yourself from WannaCry and other viruses.

We take our role as stewards of your data, including sensitive information about the people you serve and the important work you do, very seriously. Should you have any questions about system security in the wake of the WannaCry Ransomware attack, please do not hesitate to reach out to our Support Team.

iCarol using HTML5 Audio Elements for Messaging

Dana April 21, 2016 iCarol, iCarol Features, Enhancements, and Updates

Apple’s QuickTime program enjoyed a long run as one of the most popular plugins used for audio playback. It was recently announced, and confirmed by Apple, that they will no longer support the program for Windows users, due to security vulnerabilities.

Our Messaging users may recognize QuickTime as it relates to the sound effects associated with new incoming chats and arriving messages. Earlier this month, iCarol replaced audio playback with HTML5 Audio Elements. Now, no plugin, including QuickTime, is required to hear the sounds associated with iCarol Messaging ^*, making our Messaging services even easier to use and implement.

We understand that many reputable sources are strongly urging consumers to uninstall QuickTime due to the security vulnerabilities. We suggest consulting with your IT professionals at your center for guidance and assistance with that process should you choose to take action. We’re committed to providing the safest, most secure systems for our users, so you can rest assured that when you uninstall QuickTime you’ll experience no loss of usability or other negative impact to your iCarol Messaging program.

If you have any questions about this, please don’t hesitate to contact our support team.

Speaking of sounds, we are also considering updating the sounds that iCarol plays when new conversations and messages are received. We would love your feedback and ideas so watch our blog for that discussion coming soon!

^* Internet Explorer 9 and above requires a Windows Media Pack to play the files we are using for chimes as native HTML5 Audio.

Coming soon: Non-admin users to see release information and history

Dana April 1, 2016 iCarol Features, Enhancements, and Updates

A user’s security level controls what they can see and do while signed in to iCarol. There are five basic security settings you can assign to any user, ranking from least capabilities to most they are: Trainee, Standard, Enhanced, Supervisor, and Admin. In addition to this overall security setting, there are many different Advanced Security Settings that you can enable for an individual user that allow for more customization for that particular user’s capabilities.

When Admin users first sign in to iCarol, they see a unique dashboard. This dashboard shows information that is mainly useful just to those who have this highest security permission, such as access to the iCarol User Community for networking and communication with other Admins worldwide, and invoicing and subscription information, for example.

One feature of that unique dashboard is the ability to see details on the current version of iCarol being used, and information about past and future releases and what functions those releases include. This is information that is helpful to all users, both non-Admin and Admin alike, so starting with our next release, tentatively scheduled to occur on April 4th, non-Admin users will see information about release history and future release plans on their own dashboard when they sign in.

This will help educate and inform users about the release process and will prepare users for visible changes they may notice in their systems. By providing this information directly we hope it will reduce the number of inquiries Admin users will receive from their staff and volunteers who are assigned lower security levels. In fact, in many centers there are very few people with an Admin setting, and in some instances of large networks, there may be no Admin users on site at a particular organization location.

We hope that by having access to this information, all of your users will be better informed about the iCarol system they are using and what changes they might expect to see, simultaneously reducing the need for Admin users to field questions about these changes. If you have any questions about this change, please contact our Support Team by opening a case.