GDPR is right around the corner. From enterprise-level to small businesses, the May 25, 2018 deadline for compliance with the EU General Data Protection Regulation (GDPR) looms large and brings up many questions about how to not run afoul of this new regulation.
Wait, What Is GDPR Exactly?
If you haven’t already heard… GDPR is a regulation that aims to create a higher level of data protection and give EU citizens more control over how their personal data is collected, stored, and processed. It strengthens the rights individuals have regarding the collection of their personal data — including IP addresses, device identifiers and anything else that can be used to identify an individual. This regulation creates one standard of data protection across Europe, regardless of where that data is processed.
There are some additional resources regarding GDPR at the end of this article. If you’re just hearing about GDPR, here is a fantastic article that gives a solid overview of the regulation and how it may affect your business. The important thing to keep in mind is that if you collect data of any kind from EU citizens – even if your company isn’t based in Europe – you will likely be affected by GDPR.
MemberMouse Tools and Compliance
The list below calls out some key areas to consider while attempting to be GDPR compliant as well as highlightsthe times where MemberMouse can assist in these efforts.
Please note: While MemberMouse will provide what support we can to our customers in this process, it is important to emphasize that each organization’s obligations under the GDPR are unique and specific. Our customers should consider seeking independent legal advice relating to your individual concerns and compliance needs. It is important to note that no communication from MemberMouse through email or on this website is intended to substitute for legal advice.
HERE ARE 8 KEY AREAS FOR GDPR COMPLIANCE
AND HOW MEMBERMOUSE CAN HELP
1.) ASSESS YOUR EXPOSURE, ACT ACCORDINGLY
Companies that do not have any physical presence in the EU may be subject to the GDPR. The
extraterritorial reach of the GDPR applies to entities that have an establishment in the EU, offer goods
and services to EU data subjects, or monitor the behavior of EU data subjects. Because of the far reach
of the regulation, the fact that it’s a lengthy legal document and the potential hefty fines for non-
compliance, you don’t have to look too far to find a company that’s selling a ‘solution’ for GDPR. It can
feel like there’s a huge external pressure to just throw a lot of money at becoming compliant…. or else.
And it may be that one or several solutions are the right ones for your business. However, before acting,
take some time to assess your exposure.
Some questions to consider in making a decision about how to address GDPR:
2.) PRIVACY BY DEFAULT. PRIVACY BY DESIGN.
Privacy by default.
With regard to information that your organization collects by cookies or via other methods, it’s time to
assess if all of this information necessary or helpful in achieving your business objectives? Think about
where you can limit collection, processing and storage of personal data and discontinue practices that
may not be serving your business or your customers.
Privacy by design.
Assess whether it’s necessary to implement new technical and organizational measures when
determining the means of processing data and when processing data in order to aid in protection of
personal data. For example, whenever possible, companies are encouraged to implement
anonymization by processing personal data in a manner such that it can no longer be attributed to
a specific data subject.
3.) DOCUMENT, DOCUMENT, AND DOCUMENT
You should document what personal data you hold, where it came from and who you share it with.
GDPR expands the definition of “personal data” to include, among other things, online identifiers,
device identifiers, cookie IDs and IP addresses. The GDPR also requires you to maintain clear records
of your data processing activities and compliance efforts. Doing this will also help you to comply with
the GDPR’s accountability principle, which requires organisations to be able to show how they comply
with the data protection principles, for example by having effective policies and procedures in place.
Did we mention the importance of documentation? When you collect personal data you currently
have to give people certain information, such as your identity and how you intend to use their
additional things you will have to tell people. Some examples of items you’ll want to include in your
and how to opt out. The GDPR requires the information to be provided in concise, easy to understand
and clear language.
5.) CHECK PROCEDURES FOR COMPLYING WITH THE ‘RIGHTS FOR INDIVIDUALS’
The GDPR includes the following rights for individuals:
HOW CAN MEMBERMOUSE HELP?
MemberMouse has specific features that can aid with compliance for the right of access,
the right to erasure and the right to data portability.
The right of access: MemberMouse provides a clear interface from which to view and make
changes to information associated with a member’s account - the member details area. You can
see general top-level information; manage access rights; view transaction history; view and edit
any custom data entered into custom fields; and view and edit billing and shipping addresses.
Under the right of access, you may have to comply with subject access requests. Before subject
access requests are processed, you will have to verify the identity of the person making the request,
using ‘reasonable means’. One way to do this is to have a individualized passkey or code available
only to the member. MemberMouse offers two possible methods to achieve this. Custom Fields can
be used to collect security question answers from members. These will be accessible by you in
the member details area and can be accessed and viewed on the member's My Account page (optional).
A second option is to use the unique Member ID that's automatically created as your identifier. By
using the MM_Member_Data SmartTag, this can be sent to your member in a welcome email as
well as added to the My Account page. See the process to use Custom Fields and SmartTags to help
with identification verification.
The right to erasure: (available in version 2.2.8 and greater) MemberMouse has created a 'Forget Member'
feature in the Member Details area which will randomize personally identifiable user data while keeping
the data structure intact, so that removing records from the database does't affect reporting, order and
subscription metrics. Learn more about the 'Forget Member' feature.
The right to data portability: Data that the customer enters into the MemberMouse system
can be exported. The Browse Members search interface can be used to locate the member you
want to do an export for, and then click on the ‘Export Member’ button to export a portable .csv
file. Learn more about exporting members.
6.) IDENTIFY YOUR LAWFUL BASIS FOR PROCESSING PERSONAL DATA
You should identify the lawful basis for your processing activity in the GDPR, document it and
update your privacy notice to explain it. Some individuals’ rights will be modified depending on
your lawful basis for processing their personal data. The most obvious example is that people will
have a stronger right to have their data deleted where you use consent as your lawful basis
7.) REVIEW CONSENT PROTOCOLS
You should review how you seek, record and manage consent and whether you need to make
any changes. Consent must be freely given, specific, informed and unambiguous. There must
be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity.
It must also be separate from other terms and conditions, and you will need to have simple ways
for people to withdraw consent.
HOW CAN MEMBERMOUSE HELP?
MemberMouse can help in the management of consent through the Custom Fields feature
and by allowing for confirmed opt-in with our email integrations.
8.) BE ABLE TO RESPOND TO DATA BREACHES
You should put procedures in place to effectively detect, report and investigate a personal data
breach. Where a breach is likely to result in a high risk to the rights and freedoms of individuals,
you will also have to notify those concerned directly in most cases. You may wish to assess the
types of personal data you hold and document where you would be required to notify the supervisory
authority or affected individuals if a breach occurred. Depending on the size of your organization,
you also may need to appoint a Data Protection Officer to take responsibility for data protection
Here is a complete list of MemberMouse GDPR compliance-related resources:
- Add a Terms of Service checkbox to the checkout page
- Create an Account Security Key for Identity Verification
- Custom Fields overview
- Exporting Members
- 'Forget Member' feature
- General Data Protection Regulation (GDPR) FAQ
- Member Details overview
Here are some additional resources we’ve found helpful in navigating the GDPR:
The European Commission’s infographic explanation of the GDPR
CSO Online’s General Data Protection Regulation (GDPR) requirements, deadlines and facts
From Discover CRM: Understanding the implications of GDPR for small businesses