We at memberplanet take security seriously. Protecting your data – both personal and payment information – is our top priority. We continually update our security measures to ensure that your information is kept safe against loss, misuse, unauthorized access, unauthorized disclosure, manipulation, or destruction. In addition to trusting us with your data, you should feel that you have complete control over the information you provide online, and so should the people in your group. The GDPR – a term you’ve probably heard before – is meant to empower European Union citizens, but we see this as being relevant to all our customers, regardless of where they reside. Here’s what you need to know, the choices your members have, and what to expect.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a new set of data procedures designed to protect and empower all European Union (EU) citizens’ data privacy. UK residents are also included. The GDPR replaces the 1995 Data Protection Directive and is arguably the most significant change in data privacy regulation in 20 years. It’s meant to boost consumer confidence and data transparency in our digital economy and in turn business.
When will the GDPR be enforced?
On May 25, 2018. The EU is already implementing the GDPR, but at the end of May, organizations found in non-compliance risk significant fines.
Whom does the GDPR affect?
The GDPR applies to organizations that collect, share, and/or store the data of EU citizens. For example, if there’s a chance your U.S.-based organization collects personal data of EU citizens, you may need to adjust and demonstrate that your methods of collecting, sharing, and/or storing that data is compliant to the GDPR by May 25, 2018.
These terms define whom the GDPR affects in relation to the data collected:
Personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Controllers: people or organizations that determine the purposes and essential means of the processing of personal data
Processors: people or organizations that process personal data on behalf of a controller
Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
In relation to the GDPR’s definitions, memberplanet is considered a processor – we process personal data on behalf of controllers, which are our customers, groups, clients, and organizations that use memberplanet even on a free subscription plan.
What is the penalty for non-compliance?
The maximum penalty for organizations in breach of GDPR is up to 4% of annual global revenue or €20 million (whichever is greater). There is also a tiered approach. For example, a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach, or not conducting impact assessment. At the EU level, Data Protection Authorities (DPAs) are empowered to monitor compliance. Fines apply to controllers and processors, so this is something you don’t want to ignore.
How does the GDPR affect memberplanet customers?
The GDPR details the following key procedures and rights of EU citizens, and if you collect their data, you are obligated to comply with these:
Get clear consent to process data. Terms and conditions must be easily accessible with the purpose for data processing attached to that consent. Use clear and plain language. Also, permit withdrawal of consent. It must be as easy to withdraw consent as it is to give it.
Right to Be Forgotten (Data Erasure)
Erase personal data if the data subject asks. Data subjects are entitled to have the controller erase his or her personal data, cease further dissemination of the data, and potentially have third parties halt processing of data. Exemptions include if the data is needed to exercise freedom of expression, a legal obligation to keep that data, and reasons of public interest, such as public health research purposes.
Right to Access
Let people access their data and receive confirmation as to whether or not their personal data is being processed, where and for what purpose. You’re obligated to provide an electronic copy of their data to them -- free of charge.
Data subjects have the right to receive their personal data in a common machine-readable format that allows them to give it to another company.
Inform people of data breaches if there is serious risk to them. You must do this within 72 hours of first having become aware of the breach.
For more details on exemptions and key changes to the previous directive, you can visit the European Commission’s website.
What choices do my members have regarding their personal data?
Members may request to view, update, or delete their information by submitting a request for info or deletion or emailing us at firstname.lastname@example.org. Please note that some information may remain in our records, for example in our archives, after a request for deletion of such information. We may use any aggregated data derived from or incorporating members’ personal information after they update or delete it, but not in a manner that would identify them personally. Please also note that comments posted publicly on our website properties, such as comments on our blog posts, will remain visible to the public.
What to expect:
Check back for updates.
The information in this article is not meant to be a substitute for legal advice. Only a licensed attorney can provide legal advice appropriate for your organization’s particular situation.