European Union General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a law intended to strengthen the right to data protection of individuals in the European Union (EU).  The regulation takes effect on May 25, 2018, and applies to all companies and other organizations established anywhere in the world that offer good and services to people in the EU or collect and analyze personal data of EU residents. 

The people whose personal data you collect, use, or process in any way are referred to in the GDPR as Data Subjects. This new complex set of rules aims to allow data subjects full control over their personal data, by imposing strict obligations which organizations that process their data will need to comply.

Breach of those obligations may incur a fine of up to 4% of annual global turnover or €20 million (whichever is greater).

In brief, here are some of the main elements to consider for achieving compliance with the GDPR.
  • Personal data must be, among other things: 
    • only processed lawfully, fairly, and transparently for the data subject;
    • only processed for the purposes disclosed in the privacy policy provided to the data subject, or for purposes that are compatible with the stated purposes;
    • limited to what is necessary for the intended purposes of processing;
    • accurate and kept up-to-date;
    • kept for no longer than what is necessary;
    • only processed in a manner that ensures the security of the personal data (protected from loss, leakage, damage, etc.).
What you need to do:  Analyze the types of personal data that you collect and for what purposes.  Ensure that the data are processed lawfully, fairly, and transparently.  Determine how long you need to keep data and if you really do need all the various data elements.  Verify with your vendors and your internal IT team that data are securely handled.
  • Consent
    • when the data are to be processed using consent as the lawful basis, controllers will need to ensure that consent obtained from the data subject satisfies a number of specific requirements that are described in the law. Consent must be a freely given, specific, informed, unambiguous indication of the data subject's wishes;
    • the controller is obliged to track that a data subject has granted consent to use their data, and must be able to demonstrate evidence of this lawfully acquired consent upon the request of the regulatory authorities;
    • the data subject may withdraw consent later - and the option to do that should be free of charge and easily accessible by a data subject;
    • children under 16 must have a parent provide consent of their behalf.  This might be lowered to 13 in some EU member states;
    • if clear consent has not been obtained in the past, you may need to consider re-acquiring consent. Companies will need to reassess all the consents they have received prior to the GDPR taking effect, to ensure the consents were obtained lawfully (up to the standard of the GDPR) and that this can be demonstrated to regulators. This means that you will need to ensure that both "old" and "new" consent fulfill the GDPR requirements, unless you can rely on a different lawful basis of processing, such as the pursuit of your legitimate interests;
    • refreshing consent: although this is not a clear GDPR requirement, the Article 29 Working Party - an EU body that provides guidance and interpretations with regard to GDPR compliance - recommends, as a best practice, that consent should be refreshed at appropriate intervals. Providing all the information again helps to ensure the data subject remains well informed about how their data is being used and how to exercise their rights. 
What you need to do:  You will want to adjust forms that prospects, members, event attendees, and other people fill out such that the end-user will understand why their data is being collected.  Also, you may want to re-acquire consent from various contacts that you currently have.  Our GDPR features will allow you to do this, for the contacts that you have within your instance of the MemberLeap system. 
  • Processing special categories of personal data:
    • processing these special types of personal data is prohibited unless the data subject gives explicit consent:  relating to race, ethnicity, politics, religion, philosophy, trade union membership, genetic data, biometric data to identify a person, sexual orientation;
    • criminal conviction data - cannot be processed, unless explicitly allowed by other applicable laws;
    • if you do process special categories of data, you will need to ensure that the individual has given their consent explicitly. Some of the suggestions on how to obtain an explicit consent are: signed statement of consent, and a recorded oral statement.
What you need to do:  You will want to do an assessment of the personal data that you store in your system, to determine if any of the data falls into these special categories, and to acquire explicit consent as required by the GDPR. 
  • Rights of the Data Subject
    • controllers need to implement mechanisms to ensure that data subjects are clearly informed about the processing of their personal data, using a privacy policy that’s written in plain language, and that’s easy to understand and read. You can’t rely on the MemberLeap privacy policy for this: each controller needs their own privacy policy that discusses the unique types of data being collected, and the purposes for which the data are used;
    • Data subjects have a right to know the reasons for collecting and processing their data: controllers need to provide clear information on how and why they collect and process the data, determined by a specific, explicit and legitimate purpose. This obligation requires that a controller should provide a separate opt-in for each purpose, to allow users to give specific consent for specific purposes. Every purpose should fulfill the conditions of consent with regards to clarity, specifics, and other elements of the consent, requiring clear separation of information related to obtaining consent for data processing activities from information about other matters.  
      • members - need contact info to inform member of activities, handle member dues billing;
      • prospects - keep prospective member informed of upcoming events;
      • event registration attendees - contact attendee of changes to event, keep list for check-in, keep list for promotion of future similar events to promote;
      • proposal system - keep track of who has submitted a proposal, contact them for clarification or acceptance/denial;
      • forms builder - keep track of submitters for various purposes;
      • classified ads - retain info to allow buyers to contact sellers;
      • jobs board - include contact info to allow job seekers to communicate with employers;
      • donors - track info on donors for accounting purposes, to reach out for donations in future;
      • online store - track info on purchasers for accounting purposes, fulfillment purposes;
    • data subjects have a right to know the contact info of the data protection officer of the controller, if such an officer has been appointed;
    • data subjects have a right to access their personal data;
    • data subjects have a right to have their personal data corrected if it's inaccurate;
    • data subjects have a right to be forgotten (to have their personal data erased);
    • data subjects have a right of data portability (i.e., right to get a copy of data relating to them in a common format, and to transmit those data to another controller);
    • data subjects have a right to restrict or object to automated processing of personal data
What you need to do:  You will need to be able to respond to various requests from data subjects for exercising their rights under the GDPR.  Our system allows for most of this already, and the add-on GDPR center will make the rest easier, at least with respect to allowing data portability, and anonymizing data to satisfy the right to be forgotten.
  • Controllers and Processors 
    For the most part, the controller is the association (you), while the processor is the vendor providing software for processing of those data, such as MemberLeap (us):
    • The controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR;
    • The controller is responsible for implementing appropriate measures to ensure only the minimum necessary data are collected, and that the data are kept securely;
    • Controllers or processors not located in the European Union - need to have a representative in an EU member state - (Article 27). MemberLeap's partner, VeraSafe, can provide this service, enabling you to easily satisfy this requirement;
    • The controller should maintain a record of processing activities under its responsibility;
    • Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject;
    • The controller and processor shall cooperate with the supervisory authority;
    • The processor may only process data on instruction from the controller;
    • The controller must notify the supervisory authority in case of data breach within 72 hours of becoming aware of the breach;
    • The controller must notify the data subject in case of data breach;
    • Controllers and processors may need to appoint a Data Protection Officer, if the volume of data handling is significant or deals with special categories of data (Article 9);
    • If appointed, the Data Protection Officer acts as a representative to advise the controller or processor on the regulation, monitor compliance, cooperate with the supervisory authority, and act as contact point for the supervisory authority.
What you need to do:  Understand your responsibilities as a controller and implement appropriate measures and security controls.  Also, depending on your organization, you may need to appoint an EU-based representative as required by Article 27.

If you have questions, please contact us.