Publications cannot opt out of these features, as they are required for General Data Protection Regulation (GDPR) compliance. Future Editorial Manager enhancements will continue to ensure that publications have the tools necessary to keep in compliance with mandated international standards.
The purpose of the General Data Protection Regulation (GDPR) is to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the export of personal data outside the EU. More information about the regulation is available here.
Ensure that necessary configurations have been made for each of these features:
The system does not allow proxy registration without notification. All users proxy registered by an Editor must receive an email notification of the registration.
The GDPR mandates "explicit consent" for the processing of an individual's personal data. Mandatory notification meets this requirement.
Publications should ensure that a notification letter is configured for the ActionManager event, Proxy Register New User.
There are also several system processes that register new users automatically (e.g., ingested/transferred submissions, IJRS/portal-linked groups, and Data Import Service (DIS)). Because these do not trigger the Proxy Register New User event, publications should ensure that the associated "Welcome" or "New Assignment/Invitation" letters include notification of registration.
For details on letter configuration, see Create Letters.
A forced registration question displays for all new and existing users, requiring users to acknowledge the privacy policies of both Aries and the EM site publisher. Users must check a box next to the statement: "I have read and accept the Publisher’s Data Use Privacy Policy and the Aries Privacy Policy." The statement includes hyperlinks to the policy statements. Users who do not check the box will not be able to complete login.
Publishers can customize the text of the question. Users will be required to respond to the question whenever the text is changed.
New EM users will see the privacy policies message during the registration process. Proxy-registered users will be presented with the question the first time they log in. Existing users are presented with the question the first time they log in after upgrade. Only the actual user can answer the question; editorial staff accessing a user account by proxy cannot answer the question for that user. Once a user has responded to the question and submitted the page, the user cannot change the answer; the question will not be presented again.
Answered questions appear on the user's Update My Information page (and Search People – Update Information page) with the checkbox completed and uneditable. The links to the privacy policies appear as active, allowing the user to review the information at any time.
Publishers are required to provide a link to their data use privacy policy. For details, contact your Aries Account Coordinator.
No site configuration is necessary. The required/forced question, whether hard-coded or custom, is not editable by system administrators. The question is not exempt for any roles.
If a publication has other questions presented at registration, the privacy question can be reordered in the list as with any question. For details, see Create Registration Questions (Terms and Conditions, Offers).
Note: For publications in a People Sharing (IJRS) Group, a user's response is not propagated across publication sites. The user must answer the question on each EM site at first login. In the case of Editors with cross-publication access via the "Go-To" drop-down list and automatic login (based on the RoleManager permissions Access "Go To:" Publication List and Allow Automatic Login to this Role), the users do not have to log in when changing sites and therefore are not presented with the question on the other People Sharing Group sites at that time.
Individuals must be able to request the removal (or anonymization) of their personal data. All emails generated by the EM system include a standard footer with a text link (or URL) recipients can use if they want to unsubscribe/be removed from the publication’s database. When the publication office receives notification, an authorized Editor user performs the anonymization process.
The GDPR ensures the "right to erasure." The removal request feature meets this requirement.
This footer is applied to all EM letters (it does not obscure existing letter text or formatting). This footer text is not editable by system administrators or by users sending system email.
In HTML letters, the footer text reads:
In compliance with data protection regulations, you may request that we remove your personal registration details at any time. (Remove my information/details). Please contact the publication office if you have any questions.
In plain text letters, it reads:
In compliance with data protection regulations, you may request that we remove your personal registration details at any time. (Use the following URL: https://www.editorialmanager.com/{ACRO}/login.asp?a=r).
Please contact the publication office if you have any questions.
Clicking the link directs the user to the login page, where text confirms the user's intention to request data removal. The user must log in to confirm identity. After login, the user must click a button to send the removal request to the publication office. The user may also enter comments to the publication staff. This page includes instructional text for the user. (This text is editable.)
Once a request has been confirmed in the system, the user's Search People – Update Information page includes a date-time stamp of the request (in the left column). This information is visible to all Editors with Search People permission. The ability to perform anonymization requires additional permission.
For steps to perform the process see, Anonymize a User Record.
Publication may opt to retain user names (First, Middle, Last Name fields as well as Secondary Name fields). This may be done using the setting, Retain Name, in the anonymization process. If the setting is not checked, all name fields are anonymized.
Note: Contact your Aries Account Coordinator regarding recommended practices for anonymizing personal metadata.
The publication must configure a Request Removal Notification letter and grant permission to an Editor role (or roles) to carry out the anonymization request. Instructions to users requesting anonymization may also be customized.
Go to RoleManager > Editor Role. Grant permissions to the applicable Editor roles:
Important: At least one Editor role must have this permission and at least one Editor must be assigned this Editor role.
To create the letter, go to PolicyManager > Email and Letter Policies > Edit Letters, and click the Add New Letter button. On the Add Letter page, enter the appropriate information:
This letter serves to notify the Editor role recipient that a user has requested personal data anonymization. The letter should include the merge fields:
For details on letter configuration, see Create Letters.
To associate the letter with the recipient role, go to PolicyManager > Additional Data Policies > Privacy Policy Configuration.
For related information, see:
Prevent Proxy Registration of Anonymized Users
To return to previous page click ALT + left arrow