Official enforcement of the European Union’s General Data Protection Regulation, imposing new requirements for how organizations process and maintain personal data, is less than three months away. At a recent event for association professionals, experts pinpointed four key member data issues to address now.
These days, when I ask association leaders what’s keeping them up at night, I often hear the same answer: GDPR.
By now, you probably know that GDPR is shorthand for the General Data Protection Regulation, a set of rules governing data management adopted by the European Commission in 2016 with a two-year grace period. That clock is winding down fast: GDPR enforcement begins on May 25, and it’s bound to shake up businesses both big and small. That includes associations that process and control a lot of member and customer data. Although the regulation protects the personal data of EU residents specifically, the implications for your organization are many [ASAE member log-in required].
GDPR represents a major shift in data management and affects who has the right to access, control, and manage personal data. It significantly enhances the rights of data subjects. Under the new regulations, EU residents have the right to access their personal data, the right to rectify incomplete or inaccurate data, the right to be forgotten, and the right to restrict the processing of their data. And this is a regulation with teeth—fines for violations are substantial.
“I tend to call GDPR ‘getting your data protection ready’ or ‘getting data protection right,’” says Carol Tullo, associate consultant at the UK-based consulting firm the Trust Bridge. “In this world of information and trade without boundaries, many [organizations] will be capturing data. … That data is personal information, and the standard that GDPR is setting is to ensure that the individual and their data footprint is being treated with respect.”
The standard that GDPR is setting is to ensure that the individual and their data footprint is being treated with respect.”
Tullo was speaking at an ASAE program last week exploring GDPR’s implications for associations. She was joined by three other experts: her colleague David Clarke, chief technology officer at the Trust Bridge; Keith Moulsdale, a partner at Whiteford, Taylor & Preston, LLP; and Terrance Barkan, CAE, CEO of Globalstrat.
In the two-hour conversation with more than 150 association professionals, four key takeaways emerged:
1. GDPR is not just an IT problem. At the start of the session, Barkan asked attendees to raise their hand if their job was related to IT functions. More than two-thirds of attendees put a hand up—not necessarily a good thing, he said. In a post on ASAE’s Collaborate online community [ASAE member log-in required] after the event, he reiterated his concern:
“One of the many things that jumped out to me during the meeting was that apparently many associations have determined that GDPR is an ‘IT problem,’ based on a show of hands,” he wrote. “The liability for compliance attaches not only to senior staff but also to the board of directors, and therefore this is a critical issue of organizational risk management.”
Both Barkan and Tullo noted that many organizations are not thinking of GDPR as part of their risk management strategy. In the future, good business and governance will require sound data management policies that ensure clean data hygiene. Associations will need buy-in from executive and volunteer leaders to guide this effort.
2. It’s time to talk to staff, volunteers, and vendors. Whether you’re a membership director, marketing manager, or communications coordinator, you need to be well versed in GDPR terminology. Educating staff, volunteers, and vendors is an essential part of reaching compliance, Tullo said. That’s especially true of associations with many different stakeholders.
“Think about how data gets into your organization and how data leaks out of your organization,” Barkan said. “Chapters are a particular sore point.”
He emphasized the importance of upfront conversations, including with your vendors, to ask: Who collects data? What is being collected? How is it being processed? And is it necessary to business functions?
3. Compliance starts with risk assessment and data mapping. Let’s say you understand the basics of GDPR, but you’re not sure how to get started with your compliance efforts. Moulsdale recommended that organizations begin by analyzing their risk level and drawing a big picture showing where data resides. (The Trust Bridge outlines what such a data-mapping exercise might look like in practice.)
Why does data mapping matter? Because it’s proof, should you need it, that you’re taking GDPR seriously. And it could lead to necessary corrective action in one of three buckets, Moulsdale said:
- legal action, such as a change to privacy policies for members
- technology action, such as establishing an opt-in form to record how and when a member’s consent was obtained for personal data
- management action, such as a staff training on managing or maintaining member data
4. Updated privacy policies will build trust with your members. Finally, in the lead-up to GDPR, many organizations are taking a moment to revisit their privacy policies and the language used in consent statements. If it’s been a while since you’ve evaluated your privacy or consent forms, take time to do it before GDPR goes into effect. “Show and say that you’re taking their information in a respectful way,” Tullo said.
Ultimately, there are lots of reasons to implement good data management practices, beyond GDPR compliance. Becoming a good data steward reaffirms that your members can trust you, and that’s a valuable benefit.
What have you been doing to prepare for GDPR? Post your comments in the thread below.