GDPR How we protect your privacy

The General Data Protection Regulation (GDPR) is a new set of laws designed to protect the personal data of EU citizens. The onus is on organizations to not only secure this data but get consent for collection of data and delete it upon request. GDPR may be in place for the security of EU citizens, but any business that collects data of EU citizens must comply with these laws.

At MemberSuite, we are working to ensure that our own practices are GDPR-compliant. This includes our privacy policy with updates on how we handle your data as a processor, how we will assist our client as the controller of data. Between now and May 25th (and beyond), we are working towards compliance with the GDPR.

DISCLAIMER: This should not be considered legal advice for your company to use in complying with EU data privacy laws like the GDPR. The purpose is to provide background information to help you understand how MemberSuite is helping you to be prepared. We recommend that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy.

Below, find a detailed list of the features we’re building to help you maintain. In the table below, let’s imagine Elizabeth, one of your portal users, is an EU citizen. Here’s a primer on the meaning of of GDPR’s regulations and how they will affect your communications with Elizabeth.

Regulation

Meaning

MemberSuite Action

Lawful basis of processing

Meaning

You must have a legal reason to use Elizabeth’s’ data. That could be consent (opt-in) with notice (you told her what she was opting into), performance of a contract (e.g. she’s your customer and you want to invoice her), or there’s “legitimate interest” (e.g. she’s a customer, and you want to send her product info).

You need the ability to track that reason (also known as “lawful basis”) for a given contact.

MemberSuite Action

We will be updating our privacy policy. You should update yours as well to track lawful basis.

Consent

Meaning

Consent is defined under GDPR like this:

  • You need to clarify what Elizabeth is opting into. That’s called “notice.”
  • She needs to opt-in on her own ( meaning pre-checked boxes aren’t valid). Her filling out a form alone cannot implicitly opt her into everything your company sends.
  • The consent needs to be explicit on all ways you process and use her personal data (e.g. newsletter or sales calls). You must have a record of what she consented to, what she was told (notice), and when she consented.

MemberSuite Action

At MemberSuite, we're adding features to make collecting, tracking, and managing consent in a GDPR-compliant way as straightforward as possible.

Withdrawal of consent (opt out)

Meaning

Elizabeth must have the ability to withdraw consent (or object to how you’re controlling her data).

MemberSuite Action

Within MemberSuite, Your Portal users may request to ‘opt out’ which they will then be provided an option to opt out of email messaging and/or opt out of use of the system in which case this portal user will become an ‘inactive’ portal user.

Cookies

Meaning

Elizabeth must be given notice that you're using cookies to track her (in clear terminology). They must consent to cookie tracking.

MemberSuite Action

We are updating our privacy policy to include how MemberSuite utilizes cookies. You may share this information with your portal users. They must accept cookies in order to utilize the MemberSuite portal.

Right to be forgotten

Meaning

Elizabeth can request that you delete her personal data.This will generally apply when she has ended her membership or wants to close her account. This is commonly called the “right to be forgotten” and GDPR requires permanent removal of her personal information once the legitimate purpose for which is fulfilled.

MemberSuite Action

As the controller of data, you will be responsible for interpreting this regulation (actions you will take) and provide a method for which the right to be forgotten. You will need to provide an electronic or written process with instruction indicating such process with easy access for your members to request.

Access and Portability

Meaning

Elizabeth can request access to a list of personal data you have about her (name and email address, etc). If she requests access, you must provide a copy of the data, in machine-readable format (e.g. CSV or similar).

She can also request to confirm the lawfulness of processing (proof she gave consent for this).

MemberSuite Action

In MemberSuite, all personal data can be viewed in the portal users profile.

As mentioned above, she will have the ability to view in her profile what she has consented.

Modification

Meaning

Elizabeth may ask you to modify her personal data if it’s inaccurate or incomplete. In this case, you need to be able to accommodate that request.

MemberSuite Action

You can do so from within Elizabeth’s contact record in MemberSuite. Or depending on how you’ve configured your system a member can login and update information on their own.

Security Measures

Meaning

The GDPR requires many data protection safeguards, from encryption to access controls to data pseudonymization and anonymization

MemberSuite Action

We are focused on strengthening our security controls.

In addition to complying with the industry standard practices around encryption, MemberSuite’s infrastructure teams are also improving our systems for authentication, authorization, and auditing at a massive scale to better protect customer data.