Administrator Email - 5/25/25 - NEW PRIVACY RULES
Version 8.0 - Part 1
This is Part 1 of our ClubExpress version 8.0 announcement.
to read Part 2
Part 3 will follow on Wednesday, July 25.
If you use any online services, you've undoubtedly received an email from each one about changes to their privacy rules as a result of the European General Data Protection Regulations (GDPR).
This is a similar announcement but it's also much more, because your club or association also needs to accommodate GDPR. And unless you have access to lawyers and experts who fully understand the new regulations (and they are very complex) that's a daunting task.
But never fear! ClubExpress is making the changes you need to be protected through GDPR. This admin email will explain what you need to know. It also includes a suggested emailing that explains to members and, optionally to non-members, how your club or association is handling these new Privacy regulations.
that apply to all ClubExpress websites and to the data we maintain as well. Click the links to download and view each document.
collect, store, and process member and non-member personal data, to retain their trust and to respect their privacy and rights under international regulations.
Click the links on the left to read all about these changes.
We have scheduled a webinar for next Wednesday, May 30th to explain this all in more detail. For more information, visit our Webinars page
. And click here
to RSVP for this webinar. Note that attendance is limited to the first 200 people; if you're late, you may not be able to connect. However, the webinar will be recorded and the edited recording will be available within 48 hours.
This is the first of three emails detailing changes to ClubExpress as part of Version 8.0, our biggest release ever! Look for another email in about two weeks with more enhancements, and then a final one towards the end of June with the final set of enhancements.
What is GDPR
The General Data Protection Regulation (GDPR) was enacted by the European Union (EU) last year, with an effective date of May 25, 2018. These regulations were enacted to protect the privacy and data of EU citizens and apply to any organization or individual who collects, stores, and processes data, whether it be online or offline, in electronic or hard-copy format. They are by far the strictest privacy laws anywhere in the world.
These laws apply to ClubExpress but they also apply to every club and association running on our platform.
This is not negotiable or debatable; we all have to follow the GDPR regulations for the collection, storage, and processing of the personal data of members and non-members or we risk significant liability at both the organization and personal levels.
GDPR requires the following:
- EU users must consent to have their data stored outside the EU.
- They must consent to the collection and processing of this data.
- They must consent to receiving communications of different types from the organization.
- They must consent to the sharing of their data with third parties, with distinctions made between sharing to fulfill the official purposes of the organization and sharing for marketing or commercial purposes.
- They have the right to update their privacy settings and preferences at any time.
- They have the right to review and correct this data at any time.
- They have the right to be "forgotten"--for their information to be deleted completely. Note that this right is subject to the organization's legitimate business interests to retain data (for example, to maintain accurate financial records.)
- They have the right to protest the "processing" of their data and to file a complaint with a local Data Processing Authority.
- Any organization that collects, stores, and processes data must appoint a Data Protection Officer. For ClubExpress, that's Dan Ehrmann.
GDPR defines two important roles:
- The "Data Controller" controls the data. They have the responsibility to protect this data, to manage how the data is collected, stored, and processed, and to respond to user and official requests. Your club or association is the Data Controller.
- The "Data Processor" handles the data on behalf of the Data Controller. They are hired to collect, store, and process the data. For your club or association, ClubExpress is the Data Processor.
Following these regulations will be difficult for even larger organizations with plenty of resources. For smaller clubs and associations, especially those run by volunteers, it could be nearly impossible. So as part of helping you to run your organizations, so that you can focus on strengthening and growing them, ClubExpress has implemented a number of changes to make it easier for you to comply with these requirements.
But also keep in mind that GDPR is as much an education process as a regulatory one. It is important for all club and association officers, staff members, and volunteers, to understand how to protect the privacy of member and non-member data, how to respond to privacy-related requests, and how to follow best practices in data management, especially when data is exported from your ClubExpress website. We have tried to make this as easy as possible for you, but ultimately each club or association is responsible as the Data Controller for compliance with these regulations.
New Privacy Options
On the Control Panel - People tab - Setup section, you will find a new Privacy Options screen, with three options:
- Does your club or association share or sell member and/or non-member with third-parties for marketing or fund-raising purposes? If you do so, this will add a question to the user options screen (described on the next panel), to give users the right to opt-out of such communications. Note that this is different from sharing member and/or non-member data with third parties for the official business of the club or association. Here is an example:
We expect that the answer to this question will be "No" for the vast majority of our customers. And this will simplify things for members and non-members as well.
- If you hire a firm to help manage a large event, you will need to share attendee data with them so that they can perform their official duties such as preparing name badges and handling special dietary requests at meals. This is sharing for "official business" purposes.
- If you share attendee data with sponsors or exhibitors at this large event, this is sharing for marketing or fund-raising purposes and attendees must have the right to opt-out of these lists.
- You must appoint a Data Protection Officer. ClubExpress has defined this as an official title, alongside the President, Member Director, Treasurer, and Webmaster. This person is tasked with receiving and handling privacy-related requests.
- You must tell us how to handle secondary and tertiary members when a primary member asks to be "forgotten". We can forget all linked members (such as in a club where families join under their personal lives); or we can forget the primary only and just drop the linked members (such as in an association where people join through their business or professional lives.)
This screen should be completed as soon as possible. ClubExpress does not currently force you to complete it but we are monitoring its status for each customer. If we find that many clubs and associations have not completed it within 30-45 days, we may modify the system to force its completion by the first admin who logs in, for the protection of the whole organization.
New SETTINGS FOR MemberS and Non-MemberS
At the end of May, we will modify the system so that members, when they first login, will be presented with a new panel that must be completed before they can proceed. This panel is required so that both you and ClubExpress have permission to collect, store, and process member data. It will also be shown once to non-members when they register for an event or make a donation, or do anything else that requires the collection of their personal information. It will have the following options:
- Users will be required to click an "I Agree" box to certify the following:
- That they consent to the storage and processing of their data in the US, by ClubExpress, on behalf of your club or association.
- That they consent to receiving transactional messages sent by ClubExpress on behalf of your club or association.
- That they consent to the sharing of their personal information with third parties to conduct the official business of the club or association.
If they do not agree, they will not be allowed to login.
- They will also tell us whether they will accept general purpose communications concerning club or association business, such as newsletters and event notices. This question is required, but they have the option to accept or decline such communications. This question replaces a check box that used to appear on the Contact Info page. When you send blast emails from within your ClubExpress website, the system will respect this setting.
- On the Privacy Options screen, if you answered in the affirmative that your club or association may share personal data with third parties for marketing or fund-raising purposes, users will see a third question giving them the option to allow or decline such sharing . Otherwise, this question does not appear.
In this Admin communication, we have included a letter that we suggest emailing to all members of your club or association, to let them know to expect this dialog once it's enabled.
Your ClubExpress website includes hundreds of reports and data exports. We cannot know in advance whether you are running a report for internal reasons or for sharing with a third party for marketing or fund-raising reasons. We will be modifying many of these reports and exports to include the above flag and it is your responsibility to filter out members who choose not to be included in this kind of sharing.
The Right to be Forgotten
GDPR defines an important new right: the right to be forgotten or deleted from all club or association records. This right applies to all members and non-members and it must be taken seriously. But there are limits if the organization has a legitimate business reason for needing to retain this data.
In the context of your ClubExpress website and database, this is a very complex proposition. In addition to someone's basic contact information, they may also be listed in dozens of other modules, including committees, interest groups, chapter assignments, event registrations, donations, volunteering, forum messages, storefront purchases, and even within custom modules built for one club or association, such as continuing education and certification records. There will also be transaction and payment records for anyone who has ever paid money through the website.
Delete requests must be responded to within 30 days, and if approved, must be honored within 90 days. We are still building this functionality so we have some time. In the interim, requests will be handled manually. Here at ClubExpress, we have created a firstname.lastname@example.org
email address. We suggest you do something similar for your organization.
When this functionality is fully enabled, members will see an option to Cancel their Membership. When they select this button or link, they will see two options:
- Cancel me only, which will change their status to Expired.
- Delete me completely, which will add them to a Delete Request list.
They will receive a confirmation email and your Data Protection Officer (DPO) will also be notified by email. A new screen will list all the Delete requests. The DPO will have 30 days to approve or decline the request. If it's declined, a reason must be specified. If it's approved, the system will then flag that member's information to be deleted from the database.
Data such as financial records cannot be deleted completely because that would compromise information in which your club or association has a legitimate business interest. So this information will be "anonymized". For example, we will change a member's name to "Name Removed". We will delete information such as interest group memberships that are not critical to retain. We will anonymize forum posts but we cannot delete forum messages without potentially destroying the integrity of threads that many people may have contributed to. We will retain event registrations as well as transactions and payments but these will also be anonymized.
In addition to notifying members, you might also consider emailing non-members who participate in club or association activities. They will also see the Privacy panel described above when they first do anything on your website that requires personal information to be entered.
Note that Delete requests also apply to data that is stored outside of ClubExpress. For example, if you have used the built-in exports or reports to make local copies of your data for backup or analysis purposes, a Delete request also applies to these files. That's why it's important to educate your administrators, officers, and staff, about how to properly handle and protect user data.
Notifying your Members
Here is some suggested wording for an email to explain to members (and, optionally, to non-members) how your club or association is handling these new Privacy regulations:
If you use any online services, you've undoubtedly received an email from each one about changes to their privacy rules as a result of the European General Data Protection Regulations (GDPR). These regulations will also apply to [INSERT CLUB NAME HERE]. We have been working closely with ClubExpress, our association management software vendor, to comply with these new regulations.
At the end of this month, when you login to our website, you will be redirected to a new screen where you will be required to answer a couple of questions.
In compliance with the GDPR, we have appointed a Data Protection Officer ("DPO") to handle any questions or concerns you might have about the privacy of your personal data. That person's name and contact information can be found on our Contact Us page.
- You will be required to click an "I Agree" box to certify the following:
- That you consent to the storage and processing of your personal data in the US, by ClubExpress, on our behalf.
- That you consent to receiving transactional messages sent by ClubExpress on our behalf, such as a renewal notice or a payment confirmation.
- That you consent to the sharing of your personal data with third parties to conduct the official business of the organization, such as processing a credit card payment.
- You will also be asked whether you will accept general purpose communications concerning club or association business, such as newsletters and event notices. This question is required, but you have the option to accept or decline such communications.
- [REMOVE THIS BULLET IF YOU DON'T DO THIS]--You will also be asked if you want to allow or decline the sharing of personal data with third parties for marketing or fund-raising purposes. This question is required but you have the option to be excluded from such lists.
Another provision of the GDPR is the "right to be forgotten", i.e. to have your information completely removed from our databases. We are implementing an automated process to handle these requests. Until it's fully built, they should be submitted to the DPO.
Thank you for continuing to support us as we implement these important changes to protect your privacy.
[INSERT NAME OF DPO, PRESIDENT, EXECTIVE DIRECTOR OR MEMBER DIRECTOR]
The following bugs were fixed in the past 3 months: