A 2018 defined in the IT department by lots of chatter about GDPR compliance helped create an important and lasting conversation about protecting the privacy of members’ data, panelists at the ASAE Technology Conference & Expo said last week.
The town hall at last week’s ASAE Technology Conference & Expo was referred to onstage as a “broccoli” session—a panel discussion that didn’t have the fun of a session on augmented reality or blockchain, but one that was probably more important.
After a year in which the European Union’s General Data Protection Regulation seemed like the most important compliance issue ever to hit the world of data privacy, broccoli was probably what the audience at the Gaylord National Resort & Convention Center in National Harbor, Maryland, needed last Wednesday.
Perhaps it was, but the session, moderated by DelCor CIO David DeLorenzo, CAE, was a reminder that compliance issues in relation to data collection are always a part of the tech leadership gig—and there’s always something fresh around the corner. ASAE Chief Information and Engagement Officer Reggie Henry, CAE, reminded the audience of precedent like the Payment Card Industry data security standard (PCI), which arrived more than a decade ago and brought similar compliance headaches that still occasionally surface.
On the other hand, Henry explained, GDPR was useful because it encouraged ASAE and other associations to think more carefully about how they handle member data—a mindset that might not have been there when their technical infrastructure, such as their association management system (AMS), first got off the ground.
“When we put our systems in place—our AMS systems and other systems, we first started to do it 20 or 30 years ago—privacy wasn’t an issue,” Henry said. “Security might have been an issue, but data privacy wasn’t an issue.”
We’re protecting our members’ livelihoods, and our members’ data. I mean, that’s the real issue.
This picture is complicated by the organizational changes that have occurred since those systems were introduced. Brian Willard, a senior business intelligence analyst for the American Library Association, said that his organization is organized as a series of businesses under one central leadership structure.
Another complicating factor: Much of the technology used by associations these days is handled by vendors. As Louis Maiuri of RedZone Technologies noted, while vendors often manage the actual data, GDPR still puts much of the responsibility on the association itself—which can be a good thing.
“The real silver lining and upside to the CIO owning and having the responsibility of being able to choose, control, and own the process of how your data is shared with a third party … it’s something that should be looked at with conviction and resolve as a CIO and an IT team, and even across the C-level suite,” Maiuri said.
ALA’s Willard said associations should ask more of their vendors on compliance issues and cited examples showing where poor structure on vendor tools led to situations where dozens of people needed to be set as admins, something he encouraged vendors to change.
“Most of us are going out and buying a package. So we need to actually make it a priority and push vendors to make sure that they are making security one of the core parts of their development,” Willard said.
The panelists—particularly Henry and Willard—agreed that GDPR had forced a new seriousness in associations about how they manage member data. “We’re protecting our members’ livelihoods, and our members’ data. I mean, that’s the real issue,” Henry said.
Willard added that ALA had limited exposure to GDPR because of its small European presence, but it still used the regulation as a general template for its ongoing data privacy efforts.
GDPR’s full, long-term effects are still unclear—different countries may apply the regulation in different ways, which could add layers of complexity to compliance. But Henry stressed that the push for greater data protection is not going to be a strictly European phenomenon. California has already passed its own data privacy law, which may drive momentum for a federal law in the coming year.
“We have U.S. GDPR coming to a theater near you really soon,” Henry said.