What is it?
GDPR stands for General Data Protection Regulation. This is a new privacy law from the European Union (EU) that goes into effect May 25, 2018. If you're unfamiliar with GDPR, we recommend reading this documentation first: http://www.memberclicks.com/gdpr-mc.
Below is a summary of GDPR requirements that are intended to be informational, not legal advice. We recommend consulting with your organization’s legal advisers on the impact of GDPR to your organization.
How Do I Stay Compliant?
GDPR is about data security and organizational controls. Below you'll find an outline of the requirements and how they can be met within MemberClicks products.
GDPR lists the seven principles that govern data protection:
Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject. For example, it must be clear to any data subject whose data you process how you are going to use their data. This can be accomplished with Privacy Notice on your website.
Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. When it comes to using someone’s personal data, you must say what you do, and do what you say.
Personal data must be adequate, relevant, and limited to what is necessary to achieve those purposes. This principle means that you may not collect more personal data from a data subject than you need.
Personal data must be accurate and kept up to date. You should provide data subjects with an easy way to keep track of their data and you should take affirmative steps to ensure that their personal data is current and accurate.
Personal data must be stored no longer than necessary to achieve the purposes for which it was collected. This means that as soon as you no longer need the personal data for the original purposes, you must get rid of it.
Personal data must be properly secured against accidental loss, destruction, or damage. GDPR does not specify what steps a company must take to protect and secure data, but this principle makes it clear that companies should take appropriate steps to protect any personal data in their possession or control.
Data controllers are responsible for and must be able to demonstrate compliance with the above stated principles. This is known as the “accountability principle.” GDPR places more emphasis on accountability than the prior “EU Data Directive”
As a corollary to the seven principles discussed above, GDPR lists the following seven data subject rights:
Right of Access. Data subjects have the right to obtain from a data controller a copy of their personal data that is being processed by the data controller as well as a right to know how and why their data is being processed as well as whom it has been shared with.
Right to Rectification. Data subjects have the right to require a data controller to rectify inaccurate or incomplete personal data. Members, registrants and contacts have the right to request the data you store about them, they also have the right to correct any outdated or inaccurate data. The easiest way to meet this requirement is to allow your members, registrants and contacts to update their information, either by updating the profile directly or through an online form.
Right to Be Forgotten. Data subjects have the right to require data controllers to erase all of their personal data. Your members, registrants and contacts have the right to request that they be removed from your systems. To fulfill a “Right to be Forgotten” request, submit a ticket to our Help Team and we will process the deletions on your behalf.
Right to Restriction of Processing. Data subjects can require a data controller to restrict processing of their personal data.
Right to Access and Data Portability. This right requires data controllers to make it easy for data subjects to take their personal data with them to another organization. Your members, registrants and contacts have the right to request access to the data you store about them. MemberClicks products allow you to export records in CSV formats, which meet the requirement.
Right to Object. Data controllers whose lawful grounds for processing personal data are legitimate business purposes must allow data subjects the right to object to the processing of their personal data. The data subject’s request must be respected unless the data controller has a more compelling interest in processing the personal data.
Right to Object to Automated Decision-making. The GDPR provides that data subjects have the right not to be subject to a decision based solely on an automated process, including profiling.
There are several aspects of consent that you need to be considering for your members, registrants and contacts.
Consent (with notice)/opt-in: If your team needs to capture consent, fields should be added to your database and forms to capture and store consent. You may need more than one data field because consent must be given for each of the ways you process data. When creating these fields, remember that opt-in consent must be freely given, affirmative, and include a transparent explanation of your purpose for acquiring/using the data.
Notice: The notice must be easily accessible and explicit so consent is informed.
Affirmative opt-in: It must take action to opt-in. For example, an opt-in checkbox cannot be checked by default on your forms or within profiles.
Granular Consent: You need to describe each of the different reasons and methods you process personal information so people have a clear understanding to what they are giving consent (sending event announcements, education opportunities, legislative news, etc.). MemberClicks stores form and profile fields with a date and timestamp automatically when they are submitted.
Withdrawal of Consent/Opt-out: Just like how it needs to be clear and easy to give consent, there needs to be a comparable way to view current preferences and to withdraw consent.