It’s been more than three months since the European Union’s General Data Protection Regulation went into effect. So, what’s changed so far for associations? Here are three ways GDPR is reshaping organizations and the member experience.
Believe it or not, it’s been more than three months since the European Union’s General Data Protection Regulation took effect on May 25.
While GDPR’s enforcement date is behind us, the work to safeguard members’ data continues, says Tom Foley, vice president of membership and customer development at the Institute of Food Technologists. He’s been busy all summer making changes that protect member data, and that work is happening whether IFT members notice it or not.
“If anything, there hasn’t been a big shift externally that our member might have noticed, but internally, I think we now have a better handle on our data,” Foley says. “This wasn’t a one-time exercise for May 2018. We’re continuing to have meetings with our team and look at different components to strengthen policies and procedures to stay compliant with GDPR.”
Here are three ways GDPR transformed operations at IFT—and how some of your members may have noticed that the regulation took effect:
Email notices and pop-up notifications. From the member and customer perspective, probably the most visible sign that GDPR arrived was when emails detailing new or updated terms of service began flooding their inboxes. These emails have since turned into opt-in notices on many websites that describe the information an organization collects online using cookies or web beacons.
At a user-experience level, these emails and pop-up notices might seem annoying, but they are necessary in the post-GDPR world. However, there is a way to minimize their distraction. IFT took GDPR as an opportunity to completely redo its online privacy policies, which are embedded in the footer of every webpage. “Specifically, it addressed GDPR regulations, including a section on information collected online, like cookies,” Foley says. “We certainly made our privacy policies much more robust, and it helped us to avoid using pop-up reminder boxes.”
Vendor and contractor changes. Before May 25, IFT had to redo its agreements with third-party services and contractors that process member data on behalf of the organization. A mapping exercise, which tracked where data was coming from and going to, helped Foley and his team to identify places where IFT was not in compliance.
“That helped us implement new data-processing agreements with a number of existing vendors,” Foley says. But not all vendors were able or willing to adapt. “We ran into a hiccup with a vendor that we were exploring a relationship with. They wouldn’t sign our data-processing agreement, and we decided not to work with them.”
From the member point of view, if an association has to end a relationship with a vendor over a GDPR-related issue, he or she might notice a service disruption or change in a product offering. To minimize such an impact, Foley encourages other associations to undertake a data mapping exercise to understand which data processors might need an updated agreement.
Data retrieval and requests. Finally, the most significant shift since GDPR might be how your association handles and responds to personal inquiries from data subjects. Remember that EU residents have the right to access their personal data, the right to rectify incomplete or inaccurate data, the right to be forgotten, and the right to restrict the processing of their data altogether.
At IFT, GDPR compliance meant an upgrade to its association management system so that members could sign-in and ask for data to be removed. “In our case, we haven’t had anyone request that yet,” Foley said. “But that functionality is now in place, and the good news is that our members don’t feel that we’re abusing their data.”
At the same time, IFT is considering the role of a data protection officer, which under GDPR’s Article 37 applies to any organization whose “core activities” involve “regular and systematic monitoring of data subjects on a large scale.” Typically, a DPO reports directly to the CEO and maintains independent authority to act in the interest of data subjects, and when necessary, to work with external authorities to report something serious, like a data breach.
Right now, for many associations, it’s unclear whether a DPO is a requirement for GDPR compliance. “We’re all still learning. There are some unanswered questions,” Foley says. “I’ve heard from some folks that a data protection officer is needed, and I’ve heard from others that it may not. There are still things that need to be flushed out in terms of clear answers. And that’s something that for many organizations will evolve over time.”
What have been some of the most significant changes that you or your members have noticed since GDPR took effect? How have you worked through these issues? Post your comments below.