Making your Wild Apricot site GDPR-compliant

On May 25, 2018, the European Union will begin enforcing a new set of data protection regulations, known collectively as the General Data Protection Regulation (GDPR). The GDPR applies not only to entities in EU member states that process personal data, but also to entities located outside the EU whose processing activities relate to the offering of goods and services (regardless of whether payment is required) to EU residents or to monitoring the behavior of EU residents.

In this help topic, we provide suggestions for your consideration as you update your Wild Apricot website to meet your GDPR obligations.

This is not intended to be an exhaustive list of everything you need to do to meet your GDPR compliance obligations. You should seek independent legal advice concerning your specific obligations under the GDPR because only an attorney can provide legal advice tailored to your specific situation. Nothing in this help topic is intended to provide you or any of our clients with legal advice, nor should any statements on this page be used as a substitute for legal advice.

Important steps you should take in updating your Wild Apricot site for GDPR compliance include:

• Limiting the personal data you collect from members to that which is necessary for the purposes for which you are processing the data, and only retaining the data for the necessary time period.
• Confirming you have a lawful basis for all your processing activities (e.g. collecting, storing, transferring, and doing anything else with the personal data).
• Developing an updated, GDPR-compliant privacy policy.
• Providing your privacy policy whenever and wherever personal data is collected.
• Obtaining consent from data subjects for the processing of their personal data where consent is the lawful basis for processing.
• Preparing to respond to data subject requests pursuant to the GDPR, including but not restricted to requests that you provide them with a copy of the personal data you have collected from them, and erasing all personal data you have concerning them.

For more information on rights and responsibilities under the GDPR, see our GDPR Whitepaper. To view Wild Apricot's Data Processing Agreement, click here.

Limiting personal data collection and retention

One important step toward GDPR readiness is analyzing the different types of personal data you are collecting and what you are doing with that personal data. You should ensure that you have legitimate reasons for collecting and otherwise processing all the different types of personal data you collect on your Wild Apricot site. You should limit the personal data you collect to the data needed to fulfill those purposes, and you should not retain the personal data for any longer than necessary to fulfill those purposes.

Confirming lawful basis for processing activities

The GDPR requires that you have a lawful basis for all your processing activities. The following are the lawful bases for processing most types of personal data:

• Consent
• Contractual necessity
• Compliance with EU or Member State legal obligations
• Protection of vital interests of the data subject or other persons
• Performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• Legitimate interests pursued by you or a third party unless overridden by the interests, fundamental rights or freedoms of affected data subjects
• Other lawful bases introduced by member states

Developing a GDPR-compliant privacy policy

After confirming you have a lawful basis for all your processing activities, you should prepare a privacy policy in order to provide the persons whose data you are collecting with information concerning your identity, the types of personal data being processed, the reasons for processing such personal data, and other information required by the GDPR. Your privacy policy should outline how you collect, store, and otherwise process personal data. The information contained in your privacy policy should be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language that will be understandable by the persons whose data you are collecting.

The GDPR requires privacy policies to include the following information:

• The identity and the contact details of the data controller and, where applicable, the controller’s representative
• The contact details of the data protection officer, where applicable
• The purposes and legal basis for the processing
• The legitimate interests pursued by the controller or by a third party, where the processing is based on such legitimate interests
• The recipients or categories of recipients of the personal data, if any
• Information on any cross-border transfers of the data, and possible risks related to such transfers
• The period for which the Personal Data will be stored (or, if it is not possible to determine the exact period, the criteria for determining that period)
• The existence of the following data subject rights:
  1. Right of access
  2. Right to rectification
  3. Right to erasure
  4. Right to restriction of processing
  5. Right to object to processing
  6. Right to data portability
  7. Right to withdraw consent at any time, where processing is based on consent
  8. Right to lodge a complaint with the supervisory authority
• Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, and whether the data subject is required to provide the personal data, and the possible consequences of failing to provide the personal data
• The existence of automated decision-making, including profiling (where such decisions have legal effects or significantly affect the data subject) and meaningful information regarding the logic and possible consequences of such processing for the data subject
• Information on the source of the personal data (if such data is not collected directly from the data subject) and, if applicable, whether it came from publicly accessible sources.

You should consider retaining a privacy lawyer or European privacy professional to assist you in updating your privacy policy pursuant to the requirements of the GDPR.

Publishing your privacy policy

Your privacy policy should be available at all points of collection of personal data. After you’ve updated your privacy policy, you should publish a link to your privacy policy on every page of your website. You can add a link to the footer within your page template(s). Your link should be clearly visible under a term such as “Privacy Policy.”

For apps, you should make your privacy policy available from an online store prior to download. Once the app is installed, the privacy policy should never be more than two taps away. Your main menu should include a Privacy option.

Collecting granular consent from contacts

Where consent is the lawful basis for data processing, you need to obtain and store consent from your contacts before you can process their data. Consent needs to be as granular as possible, meaning that consent should be obtained separately for each specific purpose.

For example, if you plan to use personal data for marketing purposes, that would require consent separate from the consent required to place cookies on a computer. It is not enough to obtain a blanket consent to your terms of use or privacy policy.

To provide granular consent within your Wild Apricot site, you can create multiple consent fields using the instructions below and enable them separately for different Wild Apricot forms, or display them all on all forms.

Adding consent fields

So that visitors to your site can consent to the use of their data for specific purposes, you need multiple consent fields to store individual consent settings within your Wild Apricot database. The consent fields can appear on different forms, or all on the same forms.

The above clip provides an example of possible consent fields. The actual consent fields you need to create will depend on your particular circumstances.

You can create consent fields using the rules and terms field type. If you want your consent fields to automatically appear on all forms, you should create them as common fields.

Within the field settings for your consent field, you enter the label to appear to the left of the consent checkbox, and the text to appear to the right. In the Link field, you enter the URL of the website page where an explanation of the data purpose appears. You should set the access under Others access to anybody.

If you make your consent fields mandatory, then contacts will not be able to update their consent settings without contacting you.

To  handle email consent, we provide an opt-in mechanism. If a contact opts out, they will still receive confirmation emails in response to specific actions on their part, such as membership renewal notices or event registration confirmations, but they will not receive event announcements and other email blasts.

Storing and updating consent

If you've created your consent fields as common fields, they will automatically appear on every Wild Apricot form that collects data. Do not exclude these fields while setting up event registration forms and subscription forms, unless they do not apply in those cases. Common fields cannot be excluded on membership application forms.

When you add contacts manually, either one at a time or by importing spreadsheets, you need to email the new contacts and ask them to review their consent options. Your email should include a link to the {Member_Profile_Url} macro that allows contacts to view and update their member profile. When contacts click the link within the email, they are taken to their member profile, where they can click the Edit profile button and update their consent options.

We’ve added a special GDPR-compliant email template that you can customize and use as the basis for your consent request.

So that consent can be gathered from event guests, be sure to choose the Add all new guests to contact list option when enabling guest registrations.

For membership bundles, bundle administrators are responsible for granting consent on behalf of the members they add to the bundle.

Resetting consent for existing contacts

When you update your site’s data collection policies, you need to reset consent settings for existing contacts to comply with the GDPR.

To reset the consent settings for your contacts, follow these steps:

1. Hover over the Contacts menu and select the List option.
2. Make sure the Filter is set to All.
3. Click the Export button.
4. On the Export contacts dialog that appears, uncheck the Export all fields option and check only the User ID and consent fields.
5. Click the Export button.
6. Open the export file within a spreadsheet program and change all the consent field values to No.
7. Save your changes to the spreadsheet file.
8. Import the modified spreadsheet using the instructions beginning here.

You now need to email all your contacts and ask them to update their consent settings. Your email should include a link to the {Member_Profile_Url} macro that allows contacts to view and update their member profile.

Migrating existing consent settings

If your contacts’ consent settings have already been collected and stored in an external location (e.g. a spreadsheet or external database), you can migrate them into your Wild Apricot database.

To migrate existing consent settings into your Wild Apricot database, follow these steps:

1. Hover over the Contacts menu and select the List option.
2. Make sure the Filter is set to All.
3. Click the Export button.
4. On the Export contacts dialog that appears, uncheck the Export all fields option and check only the User ID and consent fields.
5. Click the Export button.
6. Open the export file within a spreadsheet program and adjust the consent field values in accordance with your external settings.
7. Save your changes to the spreadsheet file.
8. Import the modified spreadsheet using the instructions beginning here.

Withdrawing consent

If a contact informs an administrator that they wish to withdraw consent, the administrator can simply update their consent settings within their contact record.

A contact can also update their own consent settings within their member profile, unless you made your consent fields mandatory.

Requests for copy or transfer of personal data

The GDPR provides data subjects with a number of different rights. One key right data subjects have is the right to receive a copy of the personal data you have collected from them in a commonly used, machine-readable format, and to have their data transferred to another controller. This right only applies if the lawful basis for your processing activities is either the data subject’s consent or contractual necessity (e.g. the processing is required for entry into or performance of a contract with the data subject or in order to take steps at his/her request prior to the entry into a contract).

Wild Apricot stores different data in different locations, so there are multiple steps you must take to export all the personal data you have collected for a particular contact. If you use other applications that collect and store personal data, you’ll have to export data from there as well.

Contact and membership information

To export all the contact and membership information for a particular contact, follow these steps:

1. Hover over the Contacts menu and select the List option.
2. Make sure the Filter is set to All.
3. Enter the name of the contact in the Search field.
4. Click the name of the contact within the search results.
5. Click the Export button.
6. On the Export contacts dialog that appears, make sure the Export all fields option is checked.
7. Click the Export button.

Once the export file is generated, it will be automatically downloaded to your computer, and you'll receive an email with a link to the file.

Event registration information

To export all event registration information for a particular contact, follow these steps:

1. Hover over the Contacts menu and select the List option.
2. Make sure the Filter is set to All.
3. Enter the name of the contact in the Search field.
4. Click the name of the contact within the search results.
5. Within the contact details, click the Events tab.
6. Click the Export event registrations button towards the top of the screen.
7. On the Export registrations dialog that appears, make sure the Export all fields option is checked.
8. Click the Export button.

Donation information

To export all donation information for a particular contact, follow these steps:

1. Hover over the Donations menu and select the Donations option.
2. Make sure the Filter is set to All.
3. Enter the name of the contact in the Search field.
4. Click the name of the contact within the search results.
5. Click the green Export button towards the top of the screen.
6. On the Export donations dialog that appears, make sure the Export all fields option is checked.
7. Click the Export button.

Requests to erase personal data

Another important right data subjects have is the right to erasure of their personal data. This right only applies if one of the following conditions exist:

• The data are no longer needed for the original purpose(s) for which they were collected, and no new lawful purpose exists.
• The lawful basis for processing is consent, the data subject has withdrawn such consent, and no other lawful ground exists.
• The data subject exercises his/her right to object, and the controller has no overriding grounds for continuing the processing.
• The data have been processed unlawfully.
• Erasure is required to comply with EU or member state law.

When a data subject with a right to erasure requests erasure, you can comply with their request by archiving and then permanently deleting their contact record. For instructions on archiving and permanently deleting a single contact, click here.

If you use other applications that collect and store personal data, you’ll have to delete data from there as well.