GDPR is right around the corner. From enterprise-level to small businesses, the May 25, 2018 deadline for compliance with the EU General Data Protection Regulation (GDPR) looms large and brings up many questions about how to not run afoul of this new regulation. 


Wait, What Is GDPR Exactly?


If you haven’t already heard… GDPR is a regulation that aims to create a higher level of data protection and give EU citizens more control over how their personal data is collected, stored, and processed. It strengthens the rights individuals have regarding the collection of their personal data — including IP addresses, device identifiers and anything else that can be used to identify an individual. This regulation creates one standard of data protection across Europe, regardless of where that data is processed. 


There are some additional resources regarding GDPR at the end of this article. If you’re just hearing about GDPR, here is a fantastic article that gives a solid overview of the regulation and how it may affect your business. The important thing to keep in mind is that if you collect data of any kind from EU citizens – even if your company isn’t based in Europe – you will likely be affected by GDPR.



MemberMouse Tools and Compliance


The list below calls out some key areas to consider while attempting to be GDPR compliant as well as highlightsthe times where MemberMouse can assist in these efforts.


Please note: While MemberMouse will provide what support we can to our customers in this process, it is important to emphasize that each organization’s obligations under the GDPR are unique and specific. Our customers should consider seeking independent legal advice relating to your individual concerns and compliance needs. It is important to note that no communication from MemberMouse through email or on this website is intended to substitute for legal advice.


HERE ARE 8 KEY AREAS FOR GDPR COMPLIANCE
AND HOW MEMBERMOUSE CAN HELP



1.) ASSESS YOUR EXPOSURE, ACT ACCORDINGLY

Companies that do not have any physical presence in the EU may be subject to the GDPR. The 
extraterritorial reach of the GDPR applies to entities that have an establishment in the EU, offer goods 
and services to EU data subjects, or monitor the behavior of EU data subjects. Because of the far reach 
of the regulation, the fact that it’s a lengthy legal document and the potential hefty fines for non-
compliance, you don’t have to look too far to find a company that’s selling a ‘solution’ for GDPR. It can 
feel like there’s a huge external pressure to just throw a lot of money at becoming compliant…. or else. 
And it may be that one or several solutions are the right ones for your business. However, before acting, 
take some time to assess your exposure.

Some questions to consider in making a decision about how to address GDPR: 
  • Is your business based in the EU, the immediate zone of the GDPR,
    or the United States and other countries, where the GDPR is in effect ‘by extension’?
  • What percentage of your customers are based in the EU?
  • What percentage of visitors to your site are based in the EU?
  • What type of information are you collecting from your customers?
  • How do you use the information you collect?
  • How much of those processes for use of personal data are automated and do they need to be?


2.) PRIVACY BY DEFAULT. PRIVACY BY DESIGN.

Privacy by default. 
With regard to information that your organization collects by cookies or via other methods, it’s time to 
assess if all of this information necessary or helpful in achieving your business objectives? Think about 
where you can limit collection, processing and storage of personal data and discontinue practices that 
may not be serving your business or your customers.

Privacy by design. 
Assess whether it’s necessary to implement new technical and organizational measures when 
determining the means of processing data and when processing data in order to aid in protection of 
personal data. For example, whenever possible, companies are encouraged to implement 
anonymization by processing personal data in a manner such that it can no longer be attributed to 
a specific data subject.


3.) DOCUMENT, DOCUMENT, AND DOCUMENT

You should document what personal data you hold, where it came from and who you share it with. 
GDPR expands the definition of “personal data” to include, among other things, online identifiers, 
device identifiers, cookie IDs and IP addresses. The GDPR also requires you to maintain clear records 
of your data processing activities and compliance efforts. Doing this will also help you to comply with 
the GDPR’s accountability principle, which requires organisations to be able to show how they comply 
with the data protection principles, for example by having effective policies and procedures in place.



4.) REVIEW AND ADJUST YOUR PRIVACY POLICY

Did we mention the importance of documentation? When you collect personal data you currently 
have to give people certain information, such as your identity and how you intend to use their 
information. This is usually done through a privacy policy or notice. Under the GDPR there are some 
additional things you will have to tell people. Some examples of items you’ll want to include in your 
privacy policy are: you will need to explain the information you collect, your lawful basis for 
processing the data, who you share that data with, your data retention periods, your use of cookies 
and how to opt out. The GDPR requires the information to be provided in concise, easy to understand 
and clear language.



5.) CHECK PROCEDURES FOR COMPLYING WITH THE ‘RIGHTS FOR INDIVIDUALS’

The GDPR includes the following rights for individuals: 
  • the right to be informed;
    (this applies to privacy policy and other notices)

  • the right of access;
    (ability to access their personal data)

  • the right to rectification;
    (ability to correct their personal data)

  • the right to erasure;
    (also known as the ‘right to be forgotten’, ability to have their personal data deleted)

  • the right to restrict processing;
    (allows the controller to store data but not make use of it)

  • the right to data portability;
    (provide the individual with an electronic copy of personal data they’ve provided
    to the controller)

  • the right to object;
    (stop processing of data if an individual raises a specific objection)

  • and the right not to be subject to automated decision-making including profiling.
    (sets limits on making a decision solely by automated means without human involvement)

HOW CAN MEMBERMOUSE HELP?

MemberMouse has specific features that can aid with compliance for the right of access, 
the right to erasure and the right to data portability.


The right of access: MemberMouse provides a clear interface from which to view and make 

changes to information associated with a member’s account - the member details area. You can 

see general top-level information; manage access rights; view transaction history; view and edit 

any custom data entered into custom fields; and view and edit billing and shipping addresses.

 

Under the right of access, you may have to comply with subject access requests. Before subject 

access requests are processed, you will have to verify the identity of the person making the request, 

using ‘reasonable means’. One way to do this is to have a individualized passkey or code available 

only to the member. MemberMouse offers two possible methods to achieve this. Custom Fields can 

be used to collect security question answers from members. These will be accessible by you in 

the member details area and can be accessed and viewed on the member's My Account page (optional). 

A second option is to use the unique Member ID that's automatically created as your identifier. By 

using the MM_Member_Data SmartTag, this can be sent to your member in a welcome email as 

well as added to the My Account page. See the process to use Custom Fields and SmartTags to help

with identification verification.


The right to erasure: (available in version 2.2.8 and greater) MemberMouse has created a 'Forget Member' 

feature in the Member Details area which will randomize personally identifiable user data while keeping 

the data structure intact, so that removing records from the database does't affect reporting, order and 

subscription metrics. Learn more about the 'Forget Member' feature.


The right to data portability: Data that the customer enters into the MemberMouse system 

can be exported. The Browse Members search interface can be used to locate the member you 

want to do an export for, and then click on the ‘Export Member’ button to export a portable .csv 

file. Learn more about exporting members.




6.) IDENTIFY YOUR LAWFUL BASIS FOR PROCESSING PERSONAL DATA

You should identify the lawful basis for your processing activity in the GDPR, document it and 
update your privacy notice to explain it. Some individuals’ rights will be modified depending on 
your lawful basis for processing their personal data. The most obvious example is that people will 
have a stronger right to have their data deleted where you use consent as your lawful basis 
for processing. 



7.) REVIEW CONSENT PROTOCOLS

You should review how you seek, record and manage consent and whether you need to make 
any changes. Consent must be freely given, specific, informed and unambiguous. There must 
be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. 
It must also be separate from other terms and conditions, and you will need to have simple ways 
for people to withdraw consent. 


HOW CAN MEMBERMOUSE HELP?

MemberMouse can help in the management of consent through the Custom Fields feature 
and by allowing for confirmed opt-in with our email integrations.

  • Custom Fields can be used anywhere on your site and can be a variety of types (from short 
    text to a checkbox to a dropdown menu). As a simple example, you may want to use a checkbox 
    custom field to obtain and record consent to your Terms of Service. Here's a step-by-step guide
    When members enter their information into custom fields it will show up in the member details 
    area for that member, and on the member’s My Account page (optional) where it can be edited 
    by the member. Custom fields information can also be exported to a .csv file. Learn more 
    about how to use Custom Fields.

  • Support for email with confirmed opt-in is available with all of our email integrations.
    The confirmed opt-in functionality needs to be enabled on the email provider side. 
    There are additional settings for MailChimp (available only in version 2.2.8) which allow for
    confirmed opt-in when a member is first added to a list and for when a member is moved
    between lists. Read more about Configuring MailChimp.



8.) BE ABLE TO RESPOND TO DATA BREACHES

You should put procedures in place to effectively detect, report and investigate a personal data
breach. Where a breach is likely to result in a high risk to the rights and freedoms of individuals,
you will also have to notify those concerned directly in most cases. You may wish to assess the
types of personal data you hold and document where you would be required to notify the supervisory 
authority or affected individuals if a breach occurred. Depending on the size of your organization, 
you also may need to appoint a Data Protection Officer to take responsibility for data protection 
compliance. 



Additional Resources


Here is a complete list of MemberMouse GDPR compliance-related resources:



Here are some additional resources we’ve found helpful in navigating the GDPR: 


The European Commission’s infographic explanation of the GDPR

From Discover CRM: Understanding the implications of GDPR for small businesses 

MailChimp’s Guide to GDPR