Skip to content Skip to main navigation Skip to footer

How to Use GDPR Functionality In Nucleus

This article covers functionality in Nucleus that admins can use to keep their organisation GDPR Compliant. There is no mandatory use of any of the functionality and note that BAFTA Tech is not responsible for providing GDPR compliance for clients. This is the responsibility of each organisation licencing Nucleus and the data controller. Before setting up any of the functionality described please discuss with your data controller and ensure that any usage of the functionality conforms to the practices set out by your data controller. For more detailed information about GDPR and Nucleus please review the GDPR guide.

What are the Functions in Nucleus that can help me ensure GDPR compliance?

Registration Screen Checkboxes

Nucleus provides the facility for admins to turn on up to three checkboxes as part of the entrant registration form. The text for these checkboxes is completely customisable by admin users and they can be used to inform entrants of data processing. For more information see section 2 in the GDPR Guide.

To enable the checkboxes please submit a support ticket requesting that the Registration Checkboxes are enabled, including the required instance name.

Once the feature is enabled then the checkboxes are easily managed via the CMS. To turn them on:

  1. Log into the Admin Interface
  2. Go to Actions>Misc
  3. Select CMS under the System Administration heading
  4. In the Label column search for the following values:
    1. registration: dpa1 text
    2. registration: dpa2 text
    3. registration: dpa3 text
  5. Click on edit
  6. A screen with a text editor will appear
  7. Enter the relevant copy
  8. Click Save and Close

Note – Not all of the checkboxes need to be used. If you wish to display fewer checkboxes then ensure the copy for one of the dpa files is empty. It is recommended that if you wish to use fewer than three check boxes that the dpa fields which larger numbers are left empty.

How to Report the Data from the Registration for Checkboxes

There are three reports that export the data from the checkboxes on the registration form:

  1. Entry Data Download Extended Data – Go to Actions>Misc, click on Entry Data Download and select Extended Data in the Export Mode dropdown
  2. Entry Data Download Finance and Extended Data – Go to Actions>Misc, click on Entry Data Download and select Finance and Extended Data in the Export Mode dropdown
  3. The Download Report on the Users Page – Go to Actions>Users, Filter the table for the required users and click the Download button

The Right to be Forgotten

There is an additional ‘Shred’ option for Users and Entries data. This differs from the standard deletion in that it will permanently delete all data associated with the given user/entry from the database and will not be possible to restore. Please review section 5.5 in the GDPR Guide for more information.

There is a shred option in the actions menu for each entry and user:

  1. Log into the Admin Interface
  2. Go to Actions>Users or Actions>Entries and locate the relevant user or entry
  3. Select Shred from the actions menu
  4. A warning will appear
  5. Read and follow the onscreen instructions to proceed

Note – If a user is shredded this will affect all the entries that they own. It is not possible to recover the data for shredded users or entries.

How to Mark Fields on the Entry Form as Personal Data and the Related Workflows

Nucleus has an option to highlight data entered for a question as Personal Data. Once highlighted there are functions in Nucleus that can be used to manage this dataset outside of the usual data management processes.

It is the responsibility of the admin users to decide what data should be marked as personal data and this should be managed in accordance with your Data Controller. BAFTA Tech is unable to provide consultation about which data is considered personal and should be flagged.

An example of personal data is email addresses that are requested as part of the entry data. If your form contains any email address then you can take the decision to mark these as such. To flag fields as personal data:

  1. Log into the Admin Interface
  2. Go to Actions>Question List
  3. Locate the relevant question and click Edit
  4. Scroll to the Options section
  5. Select Yes for Answer includes personal data?
  6. Click Save and Close

How to set a Date to Delete Personal Data

A deletion date can be set on the settings page which will delete the data for any fields marked as personal data leaving the rest of the entry data and entries in Nucleus. GDPR states that personal data should not be kept longer than required so this function enables admins to delete personal data as soon as it is no longer required whilst keeping a record of the entries in Nucleus.

To set up this process:

  1. Log into the Admin Interface
  2. Go to Actions>Awards
  3. Click Edit on the award you wish to set the Personal Data Deletion date
  4. Click on Delete personal data on and select a date
  5. Click Save and Close

Note – Once you’ve set up a deletion date for Personal Data, you can also trigger emails to warn Admin Users about this process. If you switch them on, three email warning messages will be sent to Admins across a different timeframe on 7 days, 24 hours and 1 hour before the deletion process. Please review this guide to see how to manage email templates.

  • entriesdeletewarn7 – will be sent to all admins of the award 7 days before the deletion
  • entriesdeletewarn24 – will be sent to all admins of the award 24 hours before the deletion
  • entriesdeletednotify – will be sent to all admins of the award 1 hour after the deletion

How to Include Personal Data in Reports

There is an additional layer of security for data marked as personal when the entry data downloads are exported. When running an export admins will see a check box, Include personal data in report. The checkbox is defaulted to empty which results in questions marked as personal data being excluded from the reports by default. To include questions marked as personal data admins can simply check the box. When running the report a popup will ask admin users to confirm they wish to exclude personal data from the report.

Note – The export of the report will also be logged in the actions menu so there is a record of which admin users exported personal data. This includes the report, award and time the report was run.

The purpose of this functionality is to ensure that admins are making a conscious decision to export personal data instead of this being the default. Once exported please ensure admins handle the data in accordance with what is set by your data controller. BAFTA Tech is unable to provide advice about how to handle the data once exported.

How to Automatically Delete All Data in an Award

In addition to deleting the fields marked as personal data it is also mandatory in Nucleus to provide a date when the award and all corresponding data will be deleted. For more information review the Automated Award Deletion guide.

Subject Access Data Request

Under GDPR any person who can request all the personal data that a company stores relating to themselves. Nucleus has a tool that will allow admins to enter an email address and then all data stored in the instance for that user is exported as a CSV file. To run this function:

  1. Log into the Admin Interface
  2. Go to Actions>Misc
  3. Select Subject Access Data Helper Tool in the Reports Section
  4. Enter the email of the user in question and click:
    • Preview – loads the data on screen
    • Download – exports a CSV file with the data

Multi-Factor Authentication in Nucleus

Nucleus provides MFA logins for all User Types (Admins, Entrants, Viewers). MFA means that Users need to login with a password and a secondary form of authentication. Full instructions on how to set Multi-Factor Authentication can be reviewed here.