On May 25, 2018, the European Union will begin enforcing a new set of data protection regulations, known collectively as the GDPR (General Data Protection Regulation). The GDPR regulates the collection and storage of personal data for EU residents (including UK residents), regardless of where the organization doing the collecting is located.

Under the GDPR, EU residents must be given the opportunity to choose whether to consent to the processing of their personal data. They must also be informed as to what data is collected, and how their data is processed, shared, and stored. Finally, they have the right to access the personal data that has been collected from them, and the right to have that information erased. For more information, see our GDPR Whitepaper.

Consequently, Wild Apricot sites must take a number of steps to comply that include:

  • Publishing a privacy policy that outlines how you collect, process, and store personal data
  • Making that privacy policy available whenever and wherever personal data is collected
  • Requiring consent to your privacy policy before proceeding with data collection
  • Being prepared to share collected data with individual contacts
  • Being prepared to erase data collected for individual contacts

Putting together your privacy policy

One of the most important data rights enshrined in the GDPR is the right to be informed. As a consequence of this right, data controllers are required to make available a privacy policy outlining how they collect, process, and store personal data.

According to the GDPR guidelines, the privacy policy must provide an “easily visible, intelligible and clearly legible….and meaningful overview of the intended processing”. As well, the policy must be communicated in “a concise, transparent, intelligible and easily accessible form, using clear and plain language”. If personal information about children is being collected, “any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.”

While privacy policies are supposed to be concise, the GDPR requires it to include the following information:

  1. The identity and the contact details of the data controller – the organization that directs the processing of the data
  2. The contact details of the data protection officer – the person responsible for overseeing your organization’s data protection strategy
  3. The purposes and legal basis for the processing
  4. Where the processing is based on legitimate interests, details of what these are
  5. The recipients or categories of recipients of the personal data
  6. Details of any transfer to a third party and details of the safeguards and the means by which to obtain a copy of them or where they have been made available
  7. The retention periods or the criteria used to determine that period
  8. Details on the following data rights:
    1. Right of access
    2. Right of deletion of personal data
    3. Right to object to processing
    4. Right to data portability
    5. Right to withdraw consent at any time, where relevant
    6. Right to lodge a complaint with the supervisory authority
  9. Details on whether the data subject is obliged to provide the personal data and the consequences of failure to provide it
  10. Details of any automated decision making, including details of the logic used and potential consequences for the individual

A number of organizations and consultants who specialize in EU privacy laws are available to assist you in writing your privacy policy.

Publishing your privacy policy

Once you’ve finished writing your privacy policy, you need to publish it on a page in your site so that it is publicly available.

If you created your Wild Apricot site recently, you may have already have a sample privacy policy page. If not, you need to create one.

Your privacy policy page should be set to be accessible to everyone.

Linking to your privacy policy

Now that you’ve published your privacy policy to a page on your Wild Apricot site, you should add a link to it from every page on your site. The best way to do this is to add a link to the footer within your page template(s).

Adding a privacy policy consent field

So that visitors to your site can consent to your privacy policy, and thereby give your permission to collect their personal data, you need a privacy policy consent field to store individual consent settings within your Wild Apricot database. The consent field should appear on any form that your site uses to collect personal data.

If you created your Wild Apricot site recently, you may have already have a privacy policy consent field within your list of common fields. If not, you need to create one, using the rules and terms field type. Your privacy policy should be a common field so that it automatically appears on all forms.

Within the field settings for your privacy policy consent field, you enter the text to appear beside the consent checkbox in the Text field. You might want to enter something like “I agree to the terms and conditions of the privacy policy”. In the Link field, you enter the URL of the website page where your privacy policy appears. Under the Others access section, click the anybody option.

Collecting consent from contacts

Now that you have a mandatory privacy policy consent field, the field will automatically appear on every Wild Apricot form that collects data. Make sure you do not exclude this field while setting up event registration forms and subscription forms. Common fields cannot be excluded on membership application forms.

When you add contacts manually, either one at a time or by importing spreadsheets, you need to email the new contacts and ask them to update their consent status. Your email should include a link to the {Member_Profile_Url} macro that allows contacts to view and update their member profile. When contacts click the link within the email, they are taken to their member profile, where they can click the Edit profile button and update their consent status.

We’ll be adding a special GDPR-compliant email template that you can customize and use as the basis for your consent request.

So that consent can be gathered from event guests, be sure to choose the Add all new guests to contact list option when enabling guest registrations.

For membership bundles, bundle administrators are responsible for granting consent on behalf of the members they add to the bundle.

Resetting consent for existing contacts

When you update your site’s privacy policy, you need to reset consent settings for existing contacts to comply with the GDPR.

To reset the consent settings for your contacts, follow these steps:

  1. Hover over the Contacts menu and select the List option.
  2. Make sure the Filter is set to All.
  3. Click the Export button.
  4. On the Export contacts dialog that appears, uncheck the Export all fields option and check only the User ID and Privacy policy fields.
  5. Click the Export button.
  6. Open the export file within a spreadsheet program and change all the values under the Privacy policy column to No.
  7. Save your changes to the spreadsheet file.
  8. Import the modified spreadsheet using the instructions beginning here.

With the consent status reset for all your contacts, you now need to email all your contacts and ask them to reset their consent status. Your email should include a link to the {Member_Profile_Url} macro that allows contacts to view and update their member profile.

Migrating existing consent settings

If your contacts’ consent settings have already been collected and stored in an external location (e.g. a spreadsheet or external database), you can migrate them into your Wild Apricot database.

To migrate existing consent settings into your Wild Apricot database, follow these steps:

  1. Hover over the Contacts menu and select the List option.
  2. Make sure the Filter is set to All.
  3. Click the Export button.
  4. On the Export contacts dialog that appears, uncheck the Export all fields option and check only the User ID and Privacy policy fields.
  5. Click the Export button.
  6. Open the export file within a spreadsheet program and adjust the values under the Privacy policy column in accordance with your external settings.
  7. Save your changes to the spreadsheet file.
  8. Import the modified spreadsheet using the instructions beginning here.

Providing more granular consent

The GDPR encourages consent to be as “granular” as possible, meaning it should be specific different types of data and/or different uses of data. To provide more granular consent within Wild Apricot, you can create multiple privacy policy consent fields using the instructions above and enable them separately for different Wild Apricot forms.

Responding to data requests

Under the GDPR, your contacts have the right to receive a copy of any personal data that you have collected from them. Wild Apricot stores different data in different locations, so there are multiple steps you must take to export all the personal data you have collected for a particular contact.

If you use other applications that collect and store personal data, you’ll have to export data from there as well.

Contact and membership information

To export all the contact and membership information for a particular contact, follow these steps:

  1. Hover over the Contacts menu and select the List option.
  2. Make sure the Filter is set to All.
  3. Enter the name of the contact in the Search field.
  4. Click the name of the contact within the search results.
  5. Click the Export button.
  6. On the Export contacts dialog that appears, make sure the Export all fields option is checked.
  7. Click the Export button.

Once the export file is generated, it will be automatically downloaded to your computer, and you'll receive an email with a link to the file.

Event registration information

To export all event registration information for a particular contact, follow these steps:

  1. Hover over the Contacts menu and select the List option.
  2. Make sure the Filter is set to All.
  3. Enter the name of the contact in the Search field.
  4. Click the name of the contact within the search results.
  5. Within the contact details, click the Events tab.
  6. Click the Export event registrations button towards the top of the screen.
  7. On the Export registrations dialog that appears, make sure the Export all fields option is checked.
  8. Click the Export button.

Donation information

To export all donation information for a particular contact, follow these steps:

  1. Hover over the Donations menu and select the Donations option.
  2. Make sure the Filter is set to All.
  3. Enter the name of the contact in the Search field.
  4. Click the name of the contact within the search results.
  5. Click the green Export button towards the top of the screen.
  6. On the Export donations dialog that appears, make sure the Export all fields option is checked.
  7. Click the Export button.

Erasing personal data

When a contact requests that you erase their personal data, you can comply with their request by archiving and deleting their contact record. For instructions on archiving and deleting a single contact, click here.

If you use other applications that collect and store personal data, you’ll have to delete data from there as well.