Whether you’re a large or small organization, you’ve probably heard about the EU’s new regulation, the General Data Protection Regulation (GDPR). It’s a new set of laws aimed at enhancing the protection of EU citizens’ personal data and increasing the obligations of organizations to deal with that data in transparent and secure ways. The GDPR applies not only to EU-based businesses, but also to any business that controls or processes data of EU citizens.
It is important to us to help you, our partners and customers, understand what the GDPR means for your businesses and build a GDPR compliant processes of your own.
Below is a list of the requirements you need and how Member365 can be used to ensure you’re being compliant.
- Lawful basis of processing
You need to have a legal reason to use anyone’s data. That reason could be consent (opted in), performance of a contract (e.g. they are a member and you want to send them an invoice), or what the GDPR calls “legitimate interest” (e.g. they have attended an event, did a training course, etc. and you want to send them additional information about their interests).You need the ability to track that reason (also known as “lawful basis”) for a given contact.In Member365, each contact record has a notes area where you can provide details on the contact and why they are in the database.
In order for a contact to grant consent under the GDPR, a few things need to happen:
- They need to be told what they are opting into. That’s called “notice.”
- They need to affirmatively opt-in through the use of a statement with a checkbox that they consent to receive email from your organization
- The consent needs to be granular, meaning it needs to cover the various ways you process and use their personal data (e.g. membership renewal notices, Email Marketing campaigns, Event Reminders). You must log auditable evidence of what they consented to and when they consented.
Member365 requests consent for anyone who fills out a form. This includes Membership applications, Event registrations, Store purchases, etc. This consent is stored in their contact record, along with the date when consent was provided, including the reason for consent.
- Withdrawal of consent (or opt out)
Your contacts need the ability to see what they’ve signed up for, and withdraw their consent at any time.Member365 provides contacts the ability to opt-out of any and all email marketing campaigns through an automated unsubscribe link at the bottom of your message. This unsubscribe link cannot be removed by any administrator using Member365. Additionally, Members can log into their member portal and select which types of emails they wish to stop receiving in the “My Account” area.
Your contacts have the right to request that you delete all the personal data you have about them. The GDPR requires the permanent removal of contact from your database, including email tracking history, call records, form submissions and more. In many cases, you’ll need to respond to their request within 30 days. The right to deletion is not absolute, and can depend on the context of the request, so it doesn’t always apply.Member365 provides the ability to delete a contact from the database at any time. However, any invoices that have been generated on behalf of the contact will remain for fiscal reporting purposes.
- Access / Portability
A contact can request access to the personal data you have about them. Personal data is anything identifiable, like their name and email address. If they request access, you need to provide a copy of the data, in some cases in machine-readable format (e.g. CSV or XLS).Member365 has added the ability to allow you to export the contact data to a Microsoft Excel formatted document. It is located on each contact record in the left-hand menu.
Contacts can ask your organization to modify their personal data if it’s inaccurate or incomplete and you need to be able to accommodate that modification request.Member365 allows you to modify their personal data through the CRM and allows the contact to modify their own data in the Member Portal.
- Breach Notification
Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.Member365 will alert customers if there has been an incident of a data breach so that you can notify your contacts as required.
The Member365 staff will continue to review and update our software as new guidelines are being enforced. Don’t hesitate to let us know if you have any questions.