GDPR applies to any U.S. company that accesses, collects or stores personal data of persons located in the EU or that markets goods or services to such persons in the EU. Also, if a U.S. based company has employees in the EU, then the company likely will have personal data of its EU employees in its U.S. locations. In other words, if you have EU data subjects as members, registrants or database contacts, GDPR applies to you. If GDPR is a new term to you, you can read more information here.
Below is a summary of GDPR requirements that are intended to be informational, not legal advice. We recommend consulting with your organization’s legal advisors on the impact of GDPR to your organization.
GDPR lists the seven principles that govern data protection:
- Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject. For example, it must be clear to any data subject whose data you process how you are going to use their data.
- Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. When it comes to using someone’s personal data, you must say what you do, and do what you say.
- Personal data must be adequate, relevant, and limited to what is necessary to achieve those purposes. This principle means that you may not collect more personal data from a data subject than you need.
- Personal data must be accurate and kept up to date. You should provide data subjects with an easy way to keep track of their data and you should take affirmative steps to ensure that their personal data is current and accurate.
- Personal data must be stored no longer than necessary to achieve the purposes for which it was collected. This means that as soon as you no longer need the personal data for the original purposes, you must get rid of it.
- Personal data must be properly secured against accidental loss, destruction, or damage. GDPR does not specify what steps a company must take to protect and secure data, but this principle makes it clear that companies should take appropriate steps to protect any personal data in their possession or control.
- Data controllers are responsible for and must be able to demonstrate compliance with the above stated principles. This is known as the “accountability principle.” GDPR places more emphasis on accountability than the prior “EU Data Directive”.
WHAT ARE THE CORE RIGHTS OF DATA SUBJECTS UNDER GDPR?
As a corollary to the seven principles discussed above, GDPR lists the following seven data subject rights:
Right of Access. Data subjects have the right to obtain from a data controller a copy of their personal data that is being processed by the data controller as well as a right to know how and why their data is being processed as well as whom it has been shared with.
Right to Rectification. Data subjects have the right to require a data controller to rectify inaccurate or incomplete personal data. Members, registrants and contacts have the right to request the data you store about them, they also have the right to correct any outdated or inaccurate data. The easiest way to meet this requirement is to allow your members, registrants and contacts to update their information, either by updating the profile directly or through an online form.
Right to Be Forgotten. Data subjects have the right to require data controllers to erase all of their personal data. Your members, registrants and contacts have the right to request that they be removed from your systems. To fulfill a “Right to be Forgotten” request, submit a ticket to our Help Team and we will process the deletions on your behalf.
Right to Restriction of Processing. Data subjects can require a data controller to restrict processing of their personal data.
Right to Access and Data Portability. This right requires data controllers to make it easy for data subjects to take their personal data with them to another organization. Your members, registrants and contacts have the right to request access to the data you store about them. MemberClicks products allow you to export records in CSV formats, which meet the requirement.
Right to Object. Data controllers whose lawful grounds for processing personal data are legitimate business purposes must allow data subjects the right to object to the processing of their personal data. The data subject’s request must be respected unless the data controller has a more compelling interest in processing the personal data.
Right to Object to Automated Decision-making. The GDPR provides that data subjects have the right not to be subject to a decision based solely on an automated process, including profiling.
WHAT IS THE REQUIRED NOTICE PERIOD FOR DATA BREACHES UNDER GDPR?
GDPR requires that data controllers notify appropriate governmental data protection authorities within 72 hours of a data breach. If the data breach “is likely to result in high risk to the rights and freedoms [of data subjects],” the data controller must notify affected data subjects without “undue delay.”
MUST DATA SUBJECTS CONSENT TO THE PROCESSING OF THEIR PERSONAL DATA IN ADVANCE?
Yes. Under GDPR, a data subject’s consent must be specific, freely given, informed, and not ambiguous. Most importantly, a positive opt-in is required and consent cannot be implied by inactivity (e.g. pre-ticked boxes, silence). Requests for consent must be separate from other contract terms and must be in clear, plain language.
There are several aspects of consent that you need to be considering for your members, registrants and contacts.
Consent (with notice)/opt-in. If your team needs to capture consent, fields should be added to your database and forms to capture and store consent. You may need more than one data field because consent must be given for each of the ways you process data. When creating these fields, remember that opt-in consent must be freely given, affirmative, and include a transparent explanation of your purpose for acquiring/using the data.
Notice: The notice must be easily accessible and explicit so consent is informed.
Affirmative opt-in: It must take action to opt-in. For example, an opt-in checkbox cannot be checked by default on your forms or within profiles.
Granular Consent: You need to describe each of the different reasons and methods you process personal information so people have a clear understanding to what they are giving consent (sending event announcements, education opportunities, legislative news, etc.). MemberClicks stores form and profile fields with a date and timestamp automatically when they are submitted.
Withdrawal of Consent/Opt-out: Just like how it needs to be clear and easy to give consent, there needs to be a comparable way to view current preferences and to withdraw consent. The easiest way to allow consent to be withdrawn is to allow the consent fields to be edited in the profile or through an online form.
WHAT ARE SOME OTHER IMPORTANT THINGS YOU NEED TO KNOW?