GDPR

European Union General Data Protection Regulation (GDPR)


The General Data Protection Regulation (GDPR) is a law intended to strengthen the right to data protection of individuals in the European Union (EU).  The regulation takes effect on May 25, 2018 and applies to all companies and other organizations established anywhere in the world that offer goods and services to people in the EU, or collect and analyze personal data of EU residents. 

The people whose personal data you collect, use, or process in any way are referred to in the GDPR as Data Subjects. This new complex set of rules aims to allow data subjects full control over their personal data by imposing strict obligations to which organizations that process their data will need to comply.

A breach of those obligations may incur a fine of up to 4% of annual global turnover or €20 million (whichever is greater).

In brief, here are some of the main elements to consider for achieving compliance with the GDPR:
  • Personal data must be, among other things: 
    • only processed lawfully, fairly, and transparently for the data subject;
    • only processed for the purposes disclosed in the privacy policy provided to the data subject, or for purposes that are compatible with the stated purposes;
    • limited to what is necessary for the intended purposes of processing;
    • accurate and kept up-to-date;
    • kept for no longer than what is necessary; and
    • only processed in a manner that ensures the security of the personal data (protected from loss, leakage, damage, etc.).
What you need to do:  Analyze the types of personal data that you collect and for what purposes.  Ensure that the data are processed lawfully, fairly, and transparently.  Determine how long you need to keep data and if you really do need all the various data elements.  Verify with your vendors and your internal IT team that the data are securely handled.
  • Consent
    • when the data are to be processed using 'consent' as the lawful basis, controllers will need to ensure that consent obtained from the data subject satisfies a number of specific requirements that are described in the law. Consent must be a freely given, specific, informed, and unambiguous indication of the data subject's wishes.
    • the controller is obliged to track that a data subject has granted consent to use their data, and must be able to demonstrate evidence of this lawfully-acquired consent upon the request of the regulatory authorities;
    • the data subject may withdraw consent later - and the option to do that should be free of charge and easily accessible by a data subject;
    • children under 16 must have a parent provide consent of their behalf.  This might be lowered to 13 in some EU member states;
    • if clear consent has not been obtained in the past, you may need to consider re-acquiring consent. Companies will need to reassess all the consents they have received prior to the GDPR taking effect, to ensure the consents were obtained lawfully (up to the standard of the GDPR) and that this can be demonstrated to regulators. This means that you will need to ensure that both "old" and "new" consent fulfill the GDPR requirements, unless you can rely on a different lawful basis of processing, such as the pursuit of your legitimate interests;
    • refreshing consent: although this is not a clear GDPR requirement, the Article 29 Working Party - an EU body that provides guidance and interpretations with regard to GDPR compliance - recommends, as a best practice, that consent should be refreshed at appropriate intervals. Providing all the information again helps to ensure the data subject remains well informed about how their data is being used and how to exercise their rights. 
What you need to do:  You will want to adjust forms that prospects, members, event attendees, and other people fill out such that the end-user will understand why their data is being collected.  Also, you may want to re-acquire consent from various contacts that you currently have.  Our GDPR features will allow you to do this, for the contacts that you have within your instance of the MemberLeap system. 
  • Processing special categories of personal data:
    • processing these special types of personal data is prohibited unless the data subject gives explicit consent:  relating to race, ethnicity, politics, religion, philosophy, trade union membership, genetic data, biometric data to identify a person, sexual orientation;
    • criminal conviction data cannot be processed, unless explicitly allowed by other applicable laws;
    • if you do process special categories of data, you will need to ensure that the individual has given their consent explicitly. Some of the suggestions on how to obtain an explicit consent are: signed statement of consent, and a recorded oral statement.
What you need to do:  You will want to do an assessment of the personal data that you store in your system, to determine if any of the data falls into these special categories, and to acquire explicit consent as required by the GDPR. 
  • Rights of the Data Subject
    • controllers need to implement mechanisms to ensure that data subjects are clearly informed about the processing of their personal data, using a privacy policy that’s written in plain language, and that’s easy to understand and read. You can’t rely on the MemberLeap privacy policy for this: each controller needs their own privacy policy that discusses the unique types of data being collected, and the purposes for which the data are used;
    • data subjects have a right to know the reasons for collecting and processing their data: controllers need to provide clear information on how and why they collect and process the data, determined by a specific, explicit and legitimate purpose. This obligation requires that a controller should provide a separate opt-in for each purpose, to allow users to give specific consent for specific purposes. Every purpose should fulfill the conditions of consent with regards to clarity, specifics, and other elements of the consent, requiring clear separation of information related to obtaining consent for data processing activities from information about other matters.  
      • members - need contact info to inform member of activities, handle member dues billing;
      • prospects - keep prospective member informed of upcoming events;
      • event registration attendees - contact attendee of changes to event, keep list for check-in, keep list for promotion of future similar events to promote;
      • proposal system - keep track of who has submitted a proposal, contact them for clarification or acceptance/denial;
      • forms builder - keep track of submitters for various purposes;
      • classified ads - retain info to allow buyers to contact sellers;
      • jobs board - include contact info to allow job seekers to communicate with employers;
      • donors - track info on donors for accounting purposes, to reach out for donations in future;
      • online store - track info on purchasers for accounting purposes, fulfillment purposes;
    • data subjects have a right to know the contact info of the data protection officer of the controller, if such an officer has been appointed;
    • data subjects have a right to access their personal data;
    • data subjects have a right to have their personal data corrected, if it's inaccurate;
    • data subjects have a right to be forgotten (to have their personal data erased);
    • data subjects have a right of data portability (i.e., right to get a copy of data relating to them in a common format, and to transmit those data to another controller);
    • data subjects have a right to restrict or object to automated processing of personal data
What you need to do:  You will need to be able to respond to various requests from data subjects for exercising their rights under the GDPR.  Our system allows for most of this already, and the add-on GDPR center will make the rest easier, at least with respect to allowing data portability, and anonymizing data to satisfy the right to be forgotten.
  • Controllers and Processors 
    For the most part, the controller is the association (you), while the processor is the vendor providing software for processing of those data, such as MemberLeap (us):
    • The controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR;
    • The controller is responsible for implementing appropriate measures to ensure only the minimum necessary data are collected, and that the data are kept securely;
    • Controllers or processors not located in the European Union - need to have a representative in an EU member state - (Article 27). MemberLeap's partner, VeraSafe, can provide this service, enabling you to easily satisfy this requirement;
    • The controller should maintain a record of processing activities under its responsibility;
    • Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject;
    • The controller and processor shall cooperate with the supervisory authority;
    • The processor may only process data on instruction from the controller;
    • The controller must notify the supervisory authority in case of data breach within 72 hours of becoming aware of the breach;
    • The controller must notify the data subject in case of data breach;
    • Controllers and processors may need to appoint a Data Protection Officer, if the volume of data handling is significant or deals with special categories of data (Article 9);
    • If appointed, the Data Protection Officer acts as a representative to advise the controller or processor on the regulation, monitor compliance, cooperate with the supervisory authority, and act as contact point for the supervisory authority.
What you need to do:  Understand your responsibilities as a controller and implement appropriate measures and security controls.  Also, depending on your organization, you may need to appoint an EU-based representative as required by Article 27.

FAQ


Do you charge more for handling EU data?

If you have need for storing EU citizen data, we would require you to sign an addendum to our online service agreement, and to pay an additional monthly charge.  This charge offsets costs that we incur in order to comply to GDPR as a data processor.  By paying this fee, you are also granted access to our Privacy/GDPR module, which includes features needed for compliance, as well as some additional materials and guidelines to help you get compliant.  Below is the current schedule of additional fees.

The full details of these requirements have not completely been presented, but we are working towards full compliance when it goes into effect on May 25, 2018
 
  • 1-20 citizens = $20 per month
  • 21-250 citizens = $40 per month
  • 251-2,500 citizens = $60 per month
  • 2,501+ citizens = $80 per month
Subject to change based on additional GDPR requirements.


Do we need a cookie consent banner?

The GDPR doesn't directly regulate the use of cookies, or the issue of cookie consent banners. Under EU law, cookies are regulated by the current ePrivacy Directive, which is set to be repealed and replaced by the ePrivacy Regulation. The new regulation is currently being negotiated in Brussels, and it's not possible to know if cookie banners will continue to be required after the new ePrivacy Regulation is finalized.


Does the GDPR apply to me if I process the data of only a few EU citizens?

Even if you process the data of only a few EU citizens, it is highly likely that the GDPR will still apply to these particular processing operations. While under such circumstances you may be exempt from certain obligations, as described above, such as maintaining records of processing activities or being required to appoint a Data Protection Officer, the majority of the GDPR requirements will still apply to your processing of EU data. If you are still in doubt, please feel free to contact us with inquiries.

Is re-acquiring consent mandatory under the GDPR?

It is a common misconception that the businesses will necessarily need to re-acquire consent from all the contacts in their database before May, 25th. Making this determination should be subject to an analysis of the legal grounds that you may use, based on the specifics of your association, along with a number of other factors. In the "Using MemberLeap in the Context of the GDPR" guide available to our GDPR Module subscribers we have provided resources that will help you make this evaluation.

What if i have other questions?

Please feel free to ask questions.  As we get more questions, it will help us build this FAQ section.

If you are a client, and have questions, please log into the system and submit a help ticket, so we can better coordinate our efforts to help you with compliance.

If you are a prospective client and have questions about the GDPR module or other aspects of our product, please click here to contact us or email us at gdpr@memberleap.com.