Do you have EU Citizens or Contacts in your database?
On May 25, 2018, the EU General Data Protection Regulation (GDPR) will come into effect.
The GDPR (General Data Protection Regulation) pertains to EU citizens and any organizations that collect or process data on EU citizens. If your membership database includes EU citizens, you will want to understand the GDPR, how it affects you, and what your obligations as a data controller are.
- You must obtain consent to track personal information about individuals. Normally this is not a big deal, because people who actively fill out forms to apply for membership or other website services are generally well aware of what they are signing up for. But if you intend to use that data for other purposes, or if you have old historical data in your database that was not collected in such circumstances, or you are creating records yourself to track information about people without their knowledge, then the situation is not so clear.
- Even in cases where you have collected personal data with proper consent, the GDPR makes it clear that people can withdraw their consent, and you have to respect their wishes in that regard. The GDPR even allows them to request that you delete their personal data – this is called their right to be forgotten. If you receive such a request, you should know how to find their data records and either:
- delete the records entirely
- if you cannot delete the records, blank the personal data fields
- if you cannot blank the fields (for example, if it is a required field), then anonymize the data (change it to something that is no longer personally identifying)
- verify that you are releasing the data to the person in question (sending it to an address that you already have on file for them is a reasonable approach)
- use your Report Builder to build a custom report for just that member. Select as many fields to display as are likely to be relevant, and add a single condition to select information only where member_id = that member's ID.
- export the results of that report, and send it to the person
- you can also go to the Payments module, pull up their account history, and email their account statement, so they can see their purchase history with the organization.
As noted above, they can request that you delete personal profile data, but their purchase history is part of your accounting records, and you can retain that information if you wish.