Making your WildApricot site GDPR-compliant

On May 25, 2018, the European Union began enforcing a new set of data protection regulations, known collectively as the General Data Protection Regulation (GDPR). The GDPR applies not only to entities in EU member states that process personal data, but also to entities located outside the EU whose processing activities relate to the offering of goods and services (regardless of whether payment is required) to EU residents or to monitoring the behavior of EU residents.

In this article we provide suggestions for your consideration as you update your WildApricot website to meet GDPR obligations.

This is not intended to be an exhaustive list of everything you need to do to meet your GDPR compliance obligations. You should seek independent legal advice concerning your specific obligations under the GDPR because only an attorney can provide legal advice tailored to your specific situation. Nothing in this article is intended to provide you or any of our clients with legal advice, nor should any statements on this page be used as a substitute for legal advice.

Important steps you should take to ensure your WildApricot website is GDPR compliant include:

• Limit the personal data you collect from members to that which is necessary for the purposes for which you are processing the data, and only retain the data for the necessary time period.
• Confirm you have a lawful basis for all your processing activities (e.g. collecting, storing, transferring, and doing anything else with the personal data).
• Develop an updated, GDPR-compliant privacy policy.
• Provide your privacy policy whenever and wherever personal data is collected.
• Obtain consent from data subjects for the processing of their personal data.
• Prepare to respond to data subject requests pursuant to the GDPR, including but not restricted to requests that you provide them with a copy of the personal data you have collected from them, and erasing all personal data you have concerning them upon request.

For more information on rights and responsibilities under the GDPR, see our GDPR Whitepaper. 

Limiting personal data collection and retention

One important step toward GDPR readiness is analyzing the different types of personal data you are collecting and what you are doing with that personal data. You should ensure that you have legitimate reasons for collecting and otherwise processing all the different types of personal data you collect on your WildApricot website. You should limit the personal data you collect to the data needed to fulfill those purposes, and you should not retain the personal data for any longer than necessary to fulfill those purposes.

Confirming lawful basis for processing activities

The GDPR requires that you have a lawful basis for all your processing activities. The following are the lawful bases for processing most types of personal data:

• Consent
• Contractual necessity
• Compliance with EU or Member State legal obligations
• Protection of vital interests of the data subject or other persons
• Performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• Legitimate interests pursued by you or a third party unless overridden by the interests, fundamental rights or freedoms of affected data subjects
• Other lawful bases introduced by member states

Developing a GDPR-compliant privacy policy

After confirming you have a lawful basis for all your processing activities, you should prepare a privacy policy in order to provide the persons whose data you are collecting with information concerning your identity, the types of personal data being processed, the reasons for processing such personal data, and other information required by the GDPR. Your privacy policy should outline how you collect, store, and otherwise process personal data. The information contained in your privacy policy should be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language that will be understandable by the persons whose data you are collecting.

The GDPR requires privacy policies to include the following information:

• The identity and the contact details of the data controller and, where applicable, the controller’s representative
• The contact details of the data protection officer, where applicable
• The purposes and legal basis for the processing
• The legitimate interests pursued by the controller or by a third party, where the processing is based on such legitimate interests
• The recipients or categories of recipients of the personal data, if any
• Information on any cross-border transfers of the data, and possible risks related to such transfers
• The period for which the Personal Data will be stored (or, if it is not possible to determine the exact period, the criteria for determining that period)
• The existence of the following data subject rights:
  1. Right of access
  2. Right to rectification
  3. Right to erasure
  4. Right to restriction of processing
  5. Right to object to processing
  6. Right to data portability
  7. Right to withdraw consent at any time, where processing is based on consent
  8. Right to lodge a complaint with the supervisory authority
• Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, and whether the data subject is required to provide the personal data, and the possible consequences of failing to provide the personal data
• The existence of automated decision-making, including profiling (where such decisions have legal effects or significantly affect the data subject) and meaningful information regarding the logic and possible consequences of such processing for the data subject
• Information on the source of the personal data (if such data is not collected directly from the data subject) and, if applicable, whether it came from publicly accessible sources.

You should consider retaining a privacy lawyer or European privacy professional to assist you in updating your privacy policy pursuant to the requirements of the GDPR.

Publishing your privacy policy

Your privacy policy should be available at all points of collection of personal data. After you’ve updated your privacy policy, you should publish a link to your privacy policy on every page of your website. You can add a link to the footer within your page template(s). Your link should be clearly visible under a term such as “Privacy Policy.”

For apps, you should make your privacy policy available from an online store prior to download. Once the app is installed, the privacy policy should never be more than two taps away. Your main menu should include a Privacy option.

Collecting granular consent from contacts

Where consent is the lawful basis for data processing, you need to obtain and store consent from your contacts before you can process their data. Consent needs to be as granular as possible, meaning that consent should be obtained separately for each specific purpose.

For example, if you plan to use personal data for marketing purposes, that would require consent separate from the consent required to place cookies on a computer. It is not enough to obtain a blanket consent to your terms of use or privacy policy.

To provide granular consent within your WildApricot site, you can create multiple consent fields using the instructions below and enable them separately for different Wild Apricot forms, or display them all on all forms.

Adding consent fields

So that visitors to your site can consent to the use of their data for specific purposes, you need multiple consent fields to store individual consent settings within your WildApricot database. The consent fields can appear on different forms, or all on the same forms.

The above clip provides an example of possible consent fields. The actual consent fields you need will depend on your particular circumstances.

You can create consent fields using the rules and terms field type. If you want your consent fields to automatically appear on all forms, you should create them as contact fields.

Within the field settings for your consent field, enter the label to appear to the left of the consent checkbox, and the text to appear to the right. In the Link field, you enter the URL of the website page where an explanation of the data purpose appears. You should set the access under Others access to anybody.

If you make your consent fields mandatory, then contacts will not be able to update their consent settings without contacting you.

To handle email consent, we provide an opt-in mechanism. If a contact opts out, they will still receive confirmation emails in response to specific actions on their part, such as membership renewal notices or event registration confirmations, but they will not receive event announcements and other email blasts.

Storing and updating consent

If you've created your consent fields as contact fields, they will automatically appear on every WildApricot form that collects data. Do not exclude these fields while setting up event registration forms and subscription forms, unless they do not apply in those cases. Contact fields cannot be excluded on membership application forms.

When you add contacts manually, either one at a time or by importing spreadsheets, you need to email the new contacts and ask them to review their consent options. Your email should include a link to the {Member_Profile_Url} macro that allows contacts to view and update their member profile. When contacts click the link within the email, they are taken to their member profile, where they can click the Edit profile button and update their consent options.

We’ve added a special GDPR-compliant email template that you can customize and use as the basis for your consent request.

So that consent can be gathered from event guests, be sure to choose the Add all new guests to contact list option when enabling guest registrations.

For membership bundles, bundle coordinators are responsible for granting consent on behalf of the members they add to the bundle.

Resetting consent for existing contacts

When you update your website’s data collection policies, you need to reset consent settings for existing contacts to comply with the GDPR.

To reset the consent settings for your contacts, follow these steps:

1. Navigate to Contacts > List.
2. Make sure the Filter is set to All.
3. Click the Export button.
4. On the Export contacts dialog that appears, uncheck the Export all fields option and check only the User ID and consent fields.
5. Click the Export button.
6. Open the export file within a spreadsheet program and change all the consent field values to No.
7. Save your changes to the spreadsheet file.
8. Import the modified spreadsheet using the instructions beginning here.

You now need to email all your contacts and ask them to update their consent settings. Your email should include a link to the {Member_Profile_Url} macro that allows contacts to view and update their member profile.

Migrating existing consent settings

If your contacts’ consent settings have already been collected and stored in an external location (e.g. a spreadsheet or external database), you can migrate them into your WildApricot database.

To migrate existing consent settings into your WildApricot database, follow these steps:

1. Navigate to Contacts > List.
2. Make sure the Filter is set to All.
3. Click the Export button.
4. On the Export contacts dialog that appears, uncheck the Export all fields option and check only the User ID and consent fields.
5. Click the Export button.
6. Open the export file within a spreadsheet program and adjust the consent field values in accordance with your external settings.
7. Save your changes to the spreadsheet file.
8. Import the modified spreadsheet using the instructions beginning here.

Withdrawing consent

If a contact informs an account administrator that they wish to withdraw consent, the administrator can update their consent settings on their behalf within their contact details.

A contact can also update their own consent settings within their member profile, unless you made your consent fields mandatory.

Requests for copy or transfer of personal data

The GDPR provides data subjects with a number of different rights. One key right data subjects have is the right to receive a copy of the personal data you have collected from them in a commonly used, machine-readable format, and to have their data transferred to another controller. This right only applies if the lawful basis for your processing activities is either the data subject’s consent or contractual necessity (e.g. the processing is required for entry into or performance of a contract with the data subject or in order to take steps at his/her request prior to the entry into a contract).

WildApricot stores different data in different locations, so there are multiple steps you must take to export all the personal data you have collected for a particular contact. If you use other applications that collect and store personal data, you’ll have to export data from there as well.

Contact and membership information

To export all the contact and membership information for a particular contact, follow these steps:

1. Navigate to Contacts > List.
2. Make sure the Filter is set to All.
3. Enter the name of the contact in the Search field.
4. Click the name of the contact within the search results.
5. Click the Export button.
6. On the Export contacts dialog that appears, make sure the Export all fields option is checked.
7. Click the Export button.

After the export file is generated, it will be automatically downloaded to your computer, and you'll receive an email with a link to the file.

Event registration information

To export all event registration information for a particular contact, follow these steps:

1. Navigate to Contacts > List.
2. Make sure the Filter is set to All.
3. Enter the name of the contact in the Search field.
4. Click the name of the contact within the search results.
5. Within the contact details, click the Events tab.
6. Click the Export event registrations button towards the top of the screen.
7. On the Export registrations dialog that appears, make sure the Export all fields option is checked.
8. Click the Export button.

Donation information

To export all donation information for a particular contact, follow these steps:

1. Hover over the Donations menu and select the Donations option.
2. Make sure the Filter is set to All.
3. Enter the name of the contact in the Search field.
4. Click the name of the contact within the search results.
5. Click the green Export button towards the top of the screen.
6. On the Export donations dialog that appears, make sure the Export all fields option is checked.
7. Click the Export button.

Requests to erase personal data

Another important right data subjects have is the right to erasure of their personal data. This right only applies if one of the following conditions exist:

• The data are no longer needed for the original purpose(s) for which they were collected, and no new lawful purpose exists.
• The lawful basis for processing is consent, the data subject has withdrawn such consent, and no other lawful ground exists.
• The data subject exercises his/her right to object, and the controller has no overriding grounds for continuing the processing.
• The data have been processed unlawfully.
• Erasure is required to comply with EU or member state law.

When a data subject with a right to erasure requests erasure, you can comply with their request by archiving and then permanently deleting their contact record.