GDPR applies to any U.S. company that accesses, collects or stores personal data of persons located in the EU or that markets goods or services to such persons in the EU. Also, if a U.S. based company has employees in the EU, then the company likely will have personal data of its EU employees in its U.S. locations. In other words, if you have EU data subjects as members, registrants or database contacts, GDPR applies to you. If GDPR is a new term to you, you can read more information here.
Below is a summary of GDPR requirements that are intended to be informational, not legal advice. We recommend consulting with your organization’s legal advisors on the impact of GDPR to your organization.
As a corollary to the seven principles discussed above, GDPR lists the following seven data subject rights:
Right of Access. Data subjects have the right to obtain from a data controller a copy of their personal data that is being processed by the data controller as well as a right to know how and why their data is being processed as well as whom it has been shared with.
Right to Rectification. Data subjects have the right to require a data controller to rectify inaccurate or incomplete personal data. Members, registrants and contacts have the right to request the data you store about them, they also have the right to correct any outdated or inaccurate data. The easiest way to meet this requirement is to allow your members, registrants and contacts to update their information, either by updating the profile directly or through an online form.
Right to Be Forgotten. Data subjects have the right to require data controllers to erase all of their personal data. Your members, registrants and contacts have the right to request that they be removed from your systems. To fulfill a “Right to be Forgotten” request, submit a ticket to our Help Team and we will process the deletions on your behalf.
Right to Restriction of Processing. Data subjects can require a data controller to restrict processing of their personal data.
Right to Access and Data Portability. This right requires data controllers to make it easy for data subjects to take their personal data with them to another organization. Your members, registrants and contacts have the right to request access to the data you store about them. MemberClicks products allow you to export records in CSV formats, which meet the requirement.
Right to Object. Data controllers whose lawful grounds for processing personal data are legitimate business purposes must allow data subjects the right to object to the processing of their personal data. The data subject’s request must be respected unless the data controller has a more compelling interest in processing the personal data.
Right to Object to Automated Decision-making. The GDPR provides that data subjects have the right not to be subject to a decision based solely on an automated process, including profiling.
GDPR requires that data controllers notify appropriate governmental data protection authorities within 72 hours of a data breach. If the data breach “is likely to result in high risk to the rights and freedoms [of data subjects],” the data controller must notify affected data subjects without “undue delay.”
Yes. Under GDPR, a data subject’s consent must be specific, freely given, informed, and not ambiguous. Most importantly, a positive opt-in is required and consent cannot be implied by inactivity (e.g. pre-ticked boxes, silence). Requests for consent must be separate from other contract terms and must be in clear, plain language.
There are several aspects of consent that you need to be considering for your members, registrants and contacts.
Consent (with notice)/opt-in. If your team needs to capture consent, fields should be added to your database and forms to capture and store consent. You may need more than one data field because consent must be given for each of the ways you process data. When creating these fields, remember that opt-in consent must be freely given, affirmative, and include a transparent explanation of your purpose for acquiring/using the data.
Notice: The notice must be easily accessible and explicit so consent is informed.
Affirmative opt-in: It must take action to opt-in. For example, an opt-in checkbox cannot be checked by default on your forms or within profiles.
Granular Consent: You need to describe each of the different reasons and methods you process personal information so people have a clear understanding to what they are giving consent (sending event announcements, education opportunities, legislative news, etc.). MemberClicks stores form and profile fields with a date and timestamp automatically when they are submitted.
Withdrawal of Consent/Opt-out: Just like how it needs to be clear and easy to give consent, there needs to be a comparable way to view current preferences and to withdraw consent. The easiest way to allow consent to be withdrawn is to allow the consent fields to be edited in the profile or through an online form.