Compliance Considerations: When Big Decisions Affect a Key Regulation, How Should You React?

A recent regulatory ruling around GDPR poses an important question for association pros: How should they react when big compliance changes affect regulations you strive to follow?

Since being put into effect nearly four years ago, the General Data Protection Regulation has dominated discussions of privacy policy in many organizations.

But given that guidance on enacting GDPR in the European Union was somewhat vague, regulatory parsing of the framework will continue to affect future GDPR implementations. A recent regulatory decision out of Belgium may be the most prominent interpretation thus far.

Earlier this month, Belgium’s data protection authority ruled [PDF] that IAB Europe’s Transparency and Consent Framework (TCF)—an approach to managing consumer data by advertisers that rely on the industry’s OpenRTB, or real-time bidding, ecosystem—failed to comply with a number of GDPR provisions. The decision will probably cause major changes in how websites with advertising manage consumer data. (IAB Europe, which faces a €250,000 fine and a 60-day mandate to update its data-collection practices, is appealing the decision.)

What does this mean for associations in general? In an analysis of the ruling, Dorothy Deng, a partner at Whiteford Taylor Preston, LLP, said that the current decision may not cause significant changes to interpretation of GDPR—but rather reinforces the underlying considerations of the GDPR. In other words, it’s an example of what not to do, in the eyes of European regulators.

“It doesn’t change the best principle,” she said. “It’s actually illustrating what it means and what is the demonstration for failure. But really, the principle remains the same—that you should be transparent.”

From the perspective of the data protection authority, TCF failed in regard to legitimate interests. In particular, the framework fell short with the balancing test, a measure of whether the interests of the parties asking for data access are overridden by the rights of the end users.

“The OpenRTB ecosystem is so extensive that it is impossible for data subjects to give an informed consent to the processing of their personal data, or to object in an informed manner to the processing of their personal data on the basis of a legitimate interest,” the ruling stated.

Additionally, the Belgian authority found that the consent approach was not transparent enough for consumers.

Analyze Your Data

Rulings like these raise a question for associations: If a ruling or regulatory decision does necessitate compliance changes, how should the organization handle them?

In her commentary, Deng suggested that the most important takeaway regarding regulatory decisions is that organizations need a strong process to help them better understand how they collect personal data, how that data flows inside the organization, and how it’s shared with external partners. With a clear process, there’s less risk of confusion—positioning organizations to be able to shift as regulatory decisions evolve.

“I think it’s important that organizing associations actually do an analysis and actually document the analysis to show that these are issues that are thought through, and not just copy-and-paste the privacy policy on the website and not even look at it,” she said.

For organizations that haven’t done the work on this compliance regulation, Deng said that it’s important to not oversell your level of compliance.

“The most dangerous thing, in my view, is to tell people that ‘I am GDPR compliant,’ when you’re not, and you have done zero exercise or analysis,” she said.

Understand Your Risk

While Deng noted that GDPR may not directly apply to many associations, it is nonetheless an important goal to strive for as privacy issues become more prominent.

She added that in general, data privacy rules in the U.S. market tend to be more relaxed, and are based on an opt-out mechanism for consent, rather than opt-in. Even the more recent California Consumer Privacy Act, while applying to businesses that serve the state, does not generally apply to many nonprofit organizations such as associations.

“If you are a U.S.-based association, you aspire to follow the GDPR,” she said. “But that’s not your legal obligation. So let’s kind of breathe, because you’re not subject to these high sanctions and high requirements.”

Ultimately, it comes down to understanding the importance of being transparent about what you do—and taking care not to overpromise.

“I think the basic thing is: Say what you do and do what you say, especially for a public-outward posted privacy policy,” Deng said. “If you’re not doing what you’re telling people you’re doing, you better not say it. It’s better to not say it and say something that’s directly violating what you actually do.”

(Melpomenem/iStock/Getty Images Plus)

Ernie Smith

By Ernie Smith

Ernie Smith is a former senior editor for Associations Now. MORE

Got an article tip for us? Contact us and let us know!