On this page
What is GDPR?
GDPR stands for General Data Protection Regulation, a privacy law from the European Union (EU) that took effect on May 25, 2018. If you're unfamiliar with GDPR, see GDPR and MC Professional for an overview before continuing.
The seven data protection principles
GDPR defines seven principles that govern data protection. Here is how each applies within MC Professional:
- Lawfulness, fairness, and transparency: Personal data must be processed lawfully, fairly, and transparently. It must be clear to any data subject how their data will be used. This can be accomplished with an article detailing your data practices, as well as Labels in your forms.
- Purpose limitation: Personal data must be collected for specified, explicit, and legitimate purposes and not used in ways incompatible with those purposes. When using someone's personal data, you must say what you do — and do what you say.
- Data minimization: Personal data must be adequate, relevant, and limited to what is necessary to achieve its purpose. You may not collect more data from a data subject than you need.
- Accuracy: Personal data must be accurate and kept up to date. Provide data subjects with an easy way to review and update their data. In MC Professional, this is done by giving members the ability to edit attributes in their profile and access forms with their information pre-populated.
- Storage limitation: Personal data must be stored no longer than necessary for the purposes for which it was collected. Once you no longer need the data for those purposes, it must be deleted.
- Integrity and confidentiality: Personal data must be properly secured against accidental loss, destruction, or damage. GDPR does not prescribe specific security steps, but organizations must take appropriate measures to protect any personal data in their possession.
- Accountability: Data controllers are responsible for — and must be able to demonstrate — compliance with the above principles. GDPR places greater emphasis on accountability than the prior EU Data Directive.
Data subject rights
GDPR also defines seven data subject rights:
- Right of access: Data subjects have the right to obtain a copy of their personal data being processed by a data controller, and to know how and why it is being processed and with whom it has been shared.
- Right to rectification: Data subjects have the right to require a data controller to correct inaccurate or incomplete personal data. The easiest way to meet this requirement is to allow members, registrants, and contacts to update their information directly in their profile or through an online form.
- Right to be forgotten: Data subjects have the right to require data controllers to erase all of their personal data. To fulfill a "Right to be forgotten" request, contact our Support Team and we will process the deletions on your behalf.
- Right to restriction of processing: Data subjects can require a data controller to restrict processing of their personal data.
- Right to data portability: Data controllers must make it easy for data subjects to take their personal data to another organization. MC Professional allows you to export records in CSV format, meeting this requirement.
- Right to object: Data subjects have the right to object to the processing of their personal data when it is based on legitimate business purposes. The data controller must respect this request unless they have a more compelling interest in processing the data.
- Right to object to automated decision-making: Data subjects have the right not to be subject to decisions based solely on automated processes, including profiling.
Consent and opt-in
Several consent requirements apply to how you collect and manage data for your members, registrants, and contacts:
-
Consent with notice / opt-in: If your team needs to capture consent, add fields to your database and forms to store it. You may need more than one field, since consent must be given separately for each way you process data. Opt-in consent must be freely given, affirmative, and include a transparent explanation of your purpose.
- Notice: The notice must be easily accessible and explicit so that consent is informed.
- Affirmative opt-in: Members must take a deliberate action to opt in. Opt-in checkboxes cannot be pre-checked on forms or in profiles.
- Granular consent: Describe each reason and method you process personal information so members understand what they are consenting to (for example, event announcements, education opportunities, or legislative news). MC Professional automatically timestamps form and profile submissions.
- Withdrawal of consent / opt-out: Just as it must be easy to give consent, it must be equally easy to withdraw it. Allow consent fields to be edited in the profile or through an online form.
Consent fields can be captured within a form using Labels and Custom Attributes. Use Advanced Search to create Saved Searches based on opt-in and opt-out attributes to keep your communication lists current.
Cookies
Under GDPR, site visitors must be notified about cookies that can be used to personally identify them. MC Professional only uses cookies for core functions, but you should inventory additional elements of your specific site to understand how cookies are used. For a full list of cookies MC Professional uses, see Cookie policy. Contact our Support Team for advanced cookie notice and consent assistance.
Security
GDPR requires security measures to ensure data is protected. MC Professional maintains a robust security infrastructure and works with third-party consultants to continuously review and strengthen security controls. For additional details, see:
Contact us at help@memberclicks.com with any questions about GDPR compliance.