Like many organizations in spring 2018, the Regulatory Affairs Professionals Society was preparing to comply with the EU’s General Data Protection Regulation that went into effect on May 25.

As an international organization, RAPS needed to comply with GPDR because it governs the collection, use, transmission, and security of data collected from residents across 31 countries.

Wendy Sahli, IT director at RAPS, didn’t find the process to be as intimidating as she initially expected. She found that undergoing GDPR compliance has helped the organizations gain a better understanding of privacy risk, improve data governance, and gain clarity over the data they control.

“We’re more careful with our data and members have noticed,” she said. “Overall, users seem to have accepted the opt-in steps due to GDPR, whereas before, it would have been an annoying extra step.”

According to Todd Tolbert, CAE, partner and COO/CIO of VSTI-Partners, GDPR forced good thinking on what associations should do with member data.

“As associations, we can’t avoid having personally identifiable information, so we need to show the world how to appropriately use and maintain this information,” he said. “If we can treat our member data like we would want our own personal data utilized, then we will have come very close to the intent of the privacy laws.”

But that doesn’t mean the work is over: Five years later, association professionals still must ensure that their organizations remain compliant with GDPR regulations, while being mindful of the data privacy landscape and new policies and legislation on the horizon.

Stay Compliant and Aware

According to Sahli, diligence is necessary to remain GDPR compliant. Associations should set aside time to review their data policies on a regular basis—at least once a year or every other year—to ensure they keep to the terms of the policies.  

Organizations should also ensure that staff understand their responsibilities when it comes to GDPR compliance. Sahli suggested weaving an introduction to GDPR into staff onboarding and conducting training once or twice a year as a helpful reminder for staff on the subject. This training is especially important for departments that regularly interact with member data, such as marketing and membership.

In addition to reviewing policies and training staff, Sahli keeps herself up to date on the broader data privacy landscape. “That way, even if there’s a policy that’s two years down the road, I can look into it so that I’m aware of it and how it might impact our organization,” she said.

Much has changed in the landscape since GDPR, including Brazil’s General Law for the Protection of Personal Data in 2020 and China’s Personal Information Protection Law (PIPL) in 2021.  GDPR also inspired state privacy laws in California and Virginia. Three more states—Colorado, Connecticut, and Utah—have passed privacy laws that will go into effect later this year.

“People are becoming more aware of how companies and organizations can or should be handling their personal identifiable information,” Tolbert said. “I think they are going to be asking their governments to enforce that, and that’s not unreasonable.”

Associations that have already gone through GDPR compliance are in better shape to handle these new privacy laws. For example, it was much easier for RAPS to comply with other privacy laws because of the way they handle their contracts and their requirements of GDPR policies when those contracts involve user data.

Even if an association has yet to be affected by GDPR or state-level laws, Tolbert recommends they still take a proactive approach to data privacy.

“I think we’re going to see more states pass these laws, and when that happens, we certainly aren’t going to segment our databases by state,” he said. “Don’t wait until these laws come into effect to examine your policies and procedures.”

[MF3d/ISTOCK]