Wild Apricot is getting ready for the GDPR

On May 25, 2018, the European Union will begin enforcing a new set of data protection regulations, known collectively as the GDPR (General Data Protection Regulation). The GDPR regulates the collection and storage of personal data for EU residents (including UK residents), regardless of where the organization doing the collecting is located.

The GDPR replaces and expands upon the 1995 Data Protection Directive. The biggest change is the extended reach of the regulations, now applying to all organizations that collect the personal data of European residents, even if those organizations are based outside of Europe.

Consequently, Wild Apricot and any of its clients with members in Europe need to understand the requirements of the GDPR, and set up procedures for complying with them.

Wild Apricot has already begun reviewing our data collection policies and procedures, and is actively exploring how we can help our clients achieve compliance with the GDPR directives.

What is Wild Apricot doing to address GDPR?

Wild Apricot has begun reviewing our internal procedures for collecting the personal data of our clients. We use a number of different applications to interact with our clients, and we are looking at how each collects data and obtains consent for collecting data.

As well, we have finished analyzing the changes we need to make to Wild Apricot to help our clients seek and manage consent from their members and contacts.

Specifically, here’s what we’ve done and what we have left to do:

Task Status
Research the areas of our product and business impacted by GDPR Done
Identify the changes required to be made to Wild Apricot to comply with GDPR, including:
  • How we collect and manage consent
  • How we help you support the data rights of your members and contacts
Implement the required changes to Wild Apricot In progress
Review how we collect and store personal data, identifying:
  • What data we collect
  • Who has access
  • Where we can decrease the amount of data we collect
  • How we can ensure the safety of data
  • How we can support your rights
Educate Wild Apricot staff about the GDPR requirements In progress
Prepare internal procedures and instructions In progress
Prepare educational materials for Wild Apricot clients, including:
  • How to collect and manage consent
  • How to write a privacy policy
  • How to support members' rights
  • How to educate your members
  • How to deal with 3d party services that you use for data processing (e.g. Mailchimp, PayPal, Google Analytics, etc.)
  • And more...

See our help article Making your Wild Apricot site GDPR-compliant 

Review and update public-facing privacy and security policies In progress
Perform audit to verify compliance Not started
Perform and communicate compliance Not started

What should Wild Apricot clients be doing? 

For Wild Apricot clients with European members, there are a number of steps that need to be taken to prepare for GDPR:

  • Review and document what personal data you are storing, where it came from, who you share it with, and who has an access to it. And we’re not just talking about data on your Wild Apricot site – this includes your own financial records and any data being processed by other third-party services (e.g. PayPal, Google Analytics, Wordpress, etc.).
  • Review how you seek, record, and manage consent.
  • Check your procedures to ensure they cover all the rights identified by the GDPR.
  • Review your current privacy notices and plan for any necessary changes to comply with GDPR.

Understanding GDPR terminology

The GDPR distinguishes between controllers – people or organizations that direct the processing of personal data – and processors – people or organizations that process data on behalf of a controller. Within the context of Wild Apricot, associations using Wild Apricot would be considered controllers, and Wild Apricot itself would be considered a processor, since we process our clients’ data on their behalf. The rules and regulations that comprise the GDPR apply equally to both controllers and processors.

The GDPR refers to those whose personal data is being collected as data subjects.

What are the requirements of the GDPR?

Under the GDPR, the following rights of data subjects must be respected by both controllers and processors:

Consent to store data
Data subjects must be given the opportunity to choose whether to consent to the processing of their personal data

Consent withdrawal
Data subjects must have the ability to easily withdraw their consent to process their personal data

Right to access
Data subjects have the right to obtain confirmation as to whether or not personal data concerning them is being collected, where, and for what purpose. Further, the controller is required to provide, upon request, a copy of the personal data, free of charge, in an electronic format.

Right to be forgotten
Data subjects have the right to request that the data controller erase his/her personal data, cease further dissemination of the data, and stop any third parties from processing of the data. There are conditions for erasure, including the data no longer being relevant, or a data subject withdrawing consent. In considering the request, controllers are required to compare the subject’s rights to "the public interest in the availability of the data".

Breach notification
Data subjects must be notified of any data breach which is likely to “result in a risk for the rights and freedoms of individuals”, within 72 hours of first having become aware of the breach. 

Data portability
Data subjects have the right to receive their personal data in a portable electronic format that allows them to transfer the data to another controller.

In general, organizations are expected to apply the concept of privacy by design – to incorporate data protection in the design of all data-collecting systems. This includes collecting the minimum amount of data that is absolutely necessary for the completion of the required task (data minimisation), as well as limiting as far as possible access to the data.

What are the penalties for non-compliance

Organizations in breach of the GDPR can be fined up to 4% of their annual global revenue or €20 million (whichever is greater). There is a tiered approach to fines, whereby an organization can be 2% for not having their records in order, 2% for not notifying about a data breach, and so on.

We will continue to update our clients and this document with our progress on complying with the requirements of the GDPR.

For more information, see the following:

The EU’s Data protection overview

GDPR home page

This page was updated on April 20, 2018

Search: WildApricot.com 

About results ( seconds) Sort by: 
Sorry, an error occured when performing search.