As your membership software platform, we process your member’s data according to your instructions, where your instructions include the actions you take (for example, when you click “Email” to email your members), as well as the various settings you’ve selected in the software. In legal terms, we function as your Data Processor, and you are the Data Controller.
With the General Data Protection Regulation (GDPR) and many other data privacy and security laws going into effect all over the world, organizations are now held responsible for protecting their members’ data and privacy. So it is important to understand how the different actions and settings within our software affect the privacy and security of your member’s data.
For example, when you publish a members directory on a public web page, you are exposing the information in each member’s profile to the public. If you download your member’s data into a CSV file and place that file in a place where it can be downloaded by anyone, then you are also exposing the member’s information to the public.
In this post, we look at how different features in MembershipWorks affect what data is public and what data is private, best practices to adopt, and also what practices to avoid.
A directory profile is the most obvious way your member’s data is exposed to the public. If you do not want members (or members of specific membership levels) listed in a directory, to ensure that their data is not accidentally exposed, make sure that the setting “allow these members to be listed in directory” is unchecked under each membership level’s settings under Labels & Membership.
If you do publish a members directory, you will want to ensure that your members consent to be listed. Typically you would have mentioned this as a benefit of membership on your website, but we recommend re-visiting your website to ensure there is no possible ambiguity that they are giving consent. We also recommend adding the privacy fields to allow your members to opt out of being listed altogether, or to opt out of having certain personal information listed.
MembershipWorks offers a number of privacy fields:
- Do not list in directory
- Do not show street address
- Do not show phone number
- Do not show mobile number
- Do not show contact name
- Do not allow messaging
If the “Do not list in directory” field is enabled, then the member’s data would not be exposed in the directory at all. The other settings allow members to opt out of having certain information being listed – the street address of the “Address” field, the “Phone” field, the “Mobile” field, and the “Contact Name” field.
Do note that these apply for the standard account Address, Phone, Mobile and Contact Name fields, and do not apply to any custom fields even if you label them as “Phone” or “Address”.
The last privacy field allows your members to opt out of allowing others to send an email message to them from the directory.
Protecting Email Addresses
Spammers are constantly looking to add to their spam email lists and if you display your members’ email addresses in your members directory, that can be easily harvested by spammers. You should be aware that there are a number of different laws that may prohibit you from publishing email addresses without direct individual consent from each member – such as the CAN-SPAM act (USA), CASL (Canada), and more.
By default, MembershipWorks does not display any email addresses in a directory. Instead we provide a messaging feature that allows users to send an email to your member through the directory, in a way that protects the email address of the member as much as possible.
Messaging From Directory
The “Contact Information” box in the directory allows users to send an email message to your members without exposing the email address of your member first. When a user clicks on “Send A Message”, before the email is sent to the member, our system checks that the email address of the sender is valid by sending them a verification email. Then our system passes the email through an automated spam checker. If the email address is valid and passes the spam checker, then our system will send the email message on to your member.
To further protect your members from spam, we limit the number of messages a user can send per day, and we also include a report spam link in the email we deliver to allow your members to report spam messages, which allows us to block those users in the future.
Do note that even with protections in place, no one can guarantee complete protection from spam – it is still possible for a spammer to use a disposable gmail or yahoo email address, and send a message that would not be caught by the automated spam filter. But so long as the member does not reply to the message (note that includes automated replies) the sender will never know their email address. If your members do encounter spam, encourage them to click on the “Report Spam” link so we can blacklist those senders. Remember your members can also opt out of messaging from the directory by enabling the “Do not allow messaging” privacy field, provided that you add that field to the membership form templates.
Fields in Directory Profile & Directory List
With our Directory Profile and Directory List customization options you can display any field, including custom fields, in the HTML content of the directory profile or the directory cards.
If you created custom fields that will be displayed in the member’s directory profile or directory cards, it should be clear to the member that they are consenting to having the data displayed. Be aware of the responsibility and liability if you obtain and publish any sensitive information such as health records, social security numbers, etc. Consult with a legal representative if you have any concerns about the data you are collecting and publishing.
Members Only Directory
To limit access to your members directory to certain users only, you can enable the visibility setting “show only if user viewing page has any of these folders/labels” for every tab of the Directory Profile template under Customization. Note that this is the third visibility setting that deals with what folders/labels the user viewing the page has to have, not to be confused with the first setting which deals with the folders/labels for the account that is being displayed.
If every tab of the directory profile is restricted to certain users, then the entire directory becomes restricted and your members directory data cannot be accessed by the public or bots.
If you are using WordPress, be aware that using the