WHY DOES THIS MATTER? If your club, school or association has a website or collects general member information, you could be at risk of fines up to $30 Million. Sounds scary, we know!

WHAT SHOULD YOU DO? Even if you think your business doesn’t collect data on European citizens, you should still adopt GDPR standards.

Why? It’s about future-proofing your business.

In this blog, we’ll cover:

• Explaining GDPR
• Understanding what data your business is collecting
• Determine whether you can delete individual data records or make data anonymous
• Audit your site for Personally Identifiable Information
• Understand what information can and can’t be removed
• Don’t help fraudsters
• Practice good customer service when dealing with GDPR queries
• Get GDPR Compliant with Club Software

Governments outside Europe are not enforcing GDPR standards… yet. However, Canada and the USA may put those standards into law in the future. Also consider that even if your gymnastics club or dance studio doesn’t have any members from the European Union, you may still unknowingly have data about a European citizen right now.

If you have a website, it’s common to see visitors from the European Union throughout the year. The website visitor data you collect on those users could easily qualify as Personally Identifiable Information.

And what if a past member of your club or organization now resides in Europe? What if tomorrow they ask you to delete your records of their data?

If that happens, do you know where their data is and how to delete it? More importantly, can you delete it? Reality check: with many online registration and member management software solutions, you may not be able to.

Already using Uplifter software to manage your club, school or association? Then you’re already future-proofing your business to be GDPR compliant! Click here to learn how Uplifter ensures your membership data meets current GDPR standards.

Explaining GDPR

So what is GDPR? It stands for the European Union’s General Data Protection Regulation… a set of rules that are designed to hold businesses accountable for the handling of user data. It’s also designed to give European citizens control over which data they allow a business to collect and hold on file.

GDPR applies to web identifying information such as cookie data, location, and IP addresses. It also applies to more traditional Personally Identifiable Information (PII) such as name, address, photos, ID numbers, health and genetic data, racial or ethnic data, political opinions and sexual orientation.

Before diving into how the GDPR affects your school, club or association, take a moment to watch a quick video below that explains GDPR from the individual’s perspective.

If you already have a grasp on what GDPR is and why it came into existence, you can skip the video and keep reading below.

6 Steps to help your club or association become GDPR compliant:

1) Understand what data your business is collecting

The first step in gaining control of your club, school or association data, is understanding the data you’re collecting. You need to sit down and make a list of all the programs that come into contact with your members. Then figure out what types of member data those programs are collecting.

For example: do you use Google Analytics to track visitor behavior? Below, we’ll explain what you can do if someone asks you to delete various types of Google data.

Email lists are a great way to stay in touch with your club members. However, when you keep an email list of past and prospective members, your club is storing Personally Identifiable Information (PII). It’s important to understand how you can delete this data.

Do you use third party transaction software like Square or Shopify POS? If you store a transaction data, the European Union may be more lenient on some of that data. See section four for more information, below.

These are only a few ways your club or association may collect PII from your current and prospective members. It may seem tedious, but creating a list of all the ways you collect data is the only way to ensure you have your bases covered.

2) Determine whether you can delete individual data records or make data anonymous

First things first. It is illegal to combine analytics tracking data with Personally Identifiable Information from another source. The same is true for anonymous advertising profiles. You can’t combine advertising profiles with PII if you run display ads on your website.

The bad news is, there’s an easy way to mistakenly combine your analytics data with PII. We’ll cover that in section three below.

The good news is that other than the scenario outlined in section three, it’s pretty difficult to accidentally combine analytics data with PII.

GDPR Tip: Don’t try and match anonymous behavior data with personally identifiable transaction data

If you have someone that handles sales and marketing for your club, make sure they don’t cross transaction data from any online eCommerce activity with analytics data. This means, you should NOT download your online transactions and try to identify what steps a specific individual took to make a purchase or convert in any other way (ie: sign-up for email lists, download case studies etc.).

Tracking trends and anonymous goal conversions is a great way to understand how people convert on your website. However, mapping an identifiable individual’s purchase path is an invasion of privacy.

Just remember: anonymous trends are good, identifying and pursuing one person is bad.

Analytics programs such as Google Analytics, specialize in revealing anonymous visitor trends. As soon as you try and link those anonymous trends with real identifiable people, you risk violating Google’s Terms of Service which will result in Google revoking your access to their products.

Of course, now with GDPR in place, losing access to Google’s services is a slap on the wrists compared to getting hit with a multi-million dollar fine from the European Union!

3) Audit your site for Personally Identifiable Information

If your site allows people to sign-up for email lists, download case studies, or requires member logins, these elements must not expose personally identifying information in the URL.

This seems like a no-brainer but some content management systems may enable this by default. This means your Squarespace, Wix or WordPress site may accidentally include personally identifying information in your site’s URL during submission of PII when a member signs up for something like an email list.

If your site runs ads from the Google Display Network, there’s a very good chance Google will alert you anytime ads are shown on a page that exposes PII. This is because their display network reveals page data to third party advertisers which means if your site is exposing user PII, Google could get in trouble.

But even if you do run ads from the Google Display Network, you shouldn’t wait for someone else to tell you that you’re exposing PII.

Here’s an easy test to see if your site exposes Personally Identifiable Information

Simply login to your Google Analytics dashboard and click Behavior>Site Content>All Pages.

Then in the search bar, type the “@” symbol and click search.

If there are any instances of URLs exposing personal email addresses, those URLs will show up on this page.

This is just a quick way to search for one type of PII being exposed on your site. A proper audit should review all site pages and forms, ensuring each type of PII is not exposed.

Get in touch with a web developer if you complete this search and find any URLs exposing a person’s email address. Fixing the issue likely won’t be difficult.

4) Understand what information can and can’t be removed

As Peter Cooper at Ayden explains, not all Personally Identifiable Information can be deleted.

Cooper says: “in a product sales scenario, where there are statutory warranties in place, there’s a chargeback period of up to 3.5 years for some card brands. Or, if your customer has an annual subscription, which hasn’t been cancelled, you need to keep the data in order to continue billing.”

This means that often times transaction data cannot be removed because it is legally required by credit card companies. If your club, school or association is offering ongoing subscriptions through a member management software like Uplifter, the PII is legally required to stay on file in order to complete transactions. GDPR is more lenient on payment and transaction data for this reason.

GDPR Tip: Be aware of PII used for Marketing

Email marketing platforms like Mailchimp, make it easy to search and remove individuals from your email list.

However, if you are using something more complex that leverages anonymous identifying cookies such as Facebook or Google ads, it is best to direct the inquiring person to those platforms for answers.

That may sound like pushing the buck. However, in reality, Facebook and Google are the data processors. That means they handle all of the data for their advertising products.

Much like Google Analytics, Facebook ads and Google ads both make their transaction data anonymous. So, they hold the keys to any personal identifiers and advertising profiles for users.

Let’s say someone approaches your business asking you to stop targeting them with Facebook or Google ads. In this case you don’t have the ability to look under the hood and remove the individual’s data. So, you have to point them to Facebook and Google where they can take actions to improve their privacy settings. (More advice on the best way to do this in section six, below.)

5) Don’t help fraudsters

Just because someone asks for a record of their personally identifiable information from your business, it doesn’t mean you should provide it.

When a person visits your site or becomes a member of your club, they are trusting you with their information. This means you have a responsibility to handle that information with care.

So, if John Doe asks for a record of their personally identifiable information don’t just react in fear and scramble to get John Doe’s records. Instead, consider how you would want a business to respond if someone was asking for your information.

When someone asks for a record of personally identifiable information you should ask to see some identification. It’s your responsibility to ensure that the person making the request is actually the person they claim to be.

Anyone making a legitimate request for their data, will appreciate that you want to confirm their identity. Plus, you don’t want your club or association to be exploited by an identity thief.

You may also consider pressing for a phone call to discuss what the person is looking to have removed. If you get on the phone and discover that the person cannot recall details about your club or association, there’s a chance you’re dealing with a fraudster.

If you’re suspicious about fraud, make sure you communicate your suspicions with the correct authorities.

6) Practice good customer service when dealing with GDPR queries

Handling a person’s identifiable information is simply an extension of your business. Good customer service can make a big difference. Approach GDPR queries the same way you would approach any other business query.

Part of this processes is about listening to the customer. Find out exactly what type of information they might want to have removed. If it’s something you have control over, let them know you will personally remove the data.

If the customer is asking you not to target them with advertisements on Facebook, Google or another third-party platform, don’t just tell them to “take it up with Facebook”.

Instead, remember to treat the query like an extension of your customer service. Try to provide them with the most helpful links possible.

Here are a few GDPR links for data processors that might help

For Facebook’s Data Policy which explains how Facebook (and Facebook owned companies like Instagram) use and collect their data, send them to the Facebook Data Policy page and recommend they navigate to the section entitled “How Can I Manage or Delete Information About Me?”

If prospective or current members inquire about any of Google’s services, send customers this My Account link. This resource allows them to easily adjust the privacy options to their liking.

For Twitter, send customers this updating our privacy policy link that will walk them through various screens where they can adjust their privacy options on Twitter.

Lastly, here’s an in-depth GDPR resource provided by Google that shows you exactly how your club or association can keep your data isolated, share insights or rely on Google’s data.

Get GDPR Compliant with Uplifter Association and Club Software

That’s right, if you use Uplifter’s member management software to manage your club or association, you are already future-proofing your business for GDPR compliance.

Uplifter’s club software and association software stores your organization’s data on its own dedicated cloud database. This creates an extra layer of security plus enhanced data accessibility. We never store your organization’s data in a shared, multi-client database like other club or association software providers. We also never store credit card numbers, expiry dates, or card security numbers on our servers.

If you need us to permanently delete someone’s personally identifiable information on Uplifter, we can do so at any time. Uplifter’s software won’t just archive contact details so you can retrieve them later. We properly remove a person’s information from the database, in compliance with GDPR. This point is worth repeating: “Archiving” personal data is not the same as “deleting” personal data (no matter what a software provider might tell you).

To learn more about how Uplifter helps keep clubs, schools and associations compliant with the General Data Protection Regulations, Contact Us.

Did you find this article helpful? Let us know on Twitter by connecting with @UplifterInc