GDPR seems to be cropping up as an agenda item for many of my charity and association clients right now - and quite right too. The EU's somewhat onerous General Data Protection Regulation comes in to force at the end of May and there is no way to avoid it. Even after Brexit, it may well carry over, and in any case, it will apply to the personally identifiable information you hold on any EU citizen. Organisations of less than 250 employees have more leeway as to what is required, but the basics still apply.
The first thing to say is that GDPR is a required code of practice, not a certification: you cannot pass or fail - but you can be deemed non-compliant, with potentially large fines. Secondly, the fact that you are using Wild Apricot to centrally store, manage and delete ("forget") your member's information already improves compliance compared to multiple spreadsheets, paper application forms, credit card slips and email lists. Thirdly, you need to keep a record of the steps you take to ensure compliance, so now is a good time to create or update those Wild Apricot procedure documents you keep meaning to write.
GDPR will affect your use of Wild Apricot in a couple of ways.
The most obvious is your duty of care to protect your members' data. There are tough reporting requirements if you should suffer a breach - and scary fines. Now in my view, poor perimeter security of your system - ie, user logins and passwords is much more likely to get you in trouble than the internal security of the Wild Apricot servers. Wild Apricot are your "data processor" whereas you are the "data controller", and you both need to be compliant. They have recently moved their data hosting to AWS, (Amazon Web Services - yes, the Amazon) and this should allow them to achieve compliance with the EU-US Privacy Shield, or to move accounts to a European data centre. Their policy for GDPR compliance are outlined here, along with some tips for member organisations here.
GDPR also requires you to obtain consent from your members (and contacts) to hold information about them, and to only use that information in the way you stated - including sending them emails. Now while some people's reading of GDPR is that you will need to adopt a "hard" opt-in approach to email, other legal opinion is that existing opt-out mechanisms are sufficient as long as you can justify "legitimate use" based on a clear relationship, genuine mutual interest, balance of interests, and expected and appropriate processing. To me, this means that emailing members on an opt-out basis is fine, but you do need to be careful as to the source of your non-members contact list, and your emails need to be informative and/or entertaining. In particular, you need an overall privacy statement on your website, and some additional wording on subscription forms and membership applications about why you store the data and what you will use it for (including any sharing with other members).
So, as I said in my original blog way back in April 2016, it's likely that the ICO (Information Commissioners Office) is only going to come after you if you have a data breach, and most potential data breaches in membership organisations come from the proliferation of spreadsheets, email lists, backups, etc, that get stored on servers, home PCs, laptops, USB sticks and mobile devices. Using a cloud system like Wild Apricot actually reduces some of this risk, but it does require you to take admin passwords seriously - particularly for ex-employees, interns, volunteers and contractors (like me!). You also need to assure yourself that the data hosts are trustworthy, and that the data is hosted in a reputable country. In other words, take due diligence, but don't get too hung up about it.
