You’ve heard that it is a game-changer for organizations in the EU, but considering US associations collect a wealth of information on members, subscribers and event attendees from all over the world, associations are still at great risk for noncompliance of upward of $20 million+ under GDPR and thus need to be well versed on the regulation and the impact it will have on all departments. “It starts with the senior team, but everyone needs to understand the implications of their day to day activities. For every action involving data, especially if that data is personal about an individual, all personnel need to be aware of the implications of their actions under GDPR,” according to Penny Heyes, Chief Commercial Officer at The TrustBridge. Since many finance executives are involved in compliance and HR, often this will be the team to take the lead on organizational compliance. If you haven’t started planning for GDPR, now is the time. Here are five things you should be doing.
1. Know what it is: General Data Protection Regulation (GDPR) sets guidelines for the collection and processing of personal information for EU- and UK-based individuals. It affects how member data is collected, stored and use data is collected, how data is stored, and how organizations communicate with individuals. This regulation does affect organizations who have customers, members or communicate with citizens resident in the EU.
2. Look at Current Processes: Once you understand the regulation, look at processes for collecting information from members, subscribers, attendees, one-off purchasers, and prospects. Understand how that data is being stored and used for any kind of communications. This will help you identify areas of risk.
3. Review existing contracts and data: “One thing that is very important is to review your 3rd party supply chain (becoming known as the “data ecosystem”) and how they are processing, controlling and storing data for you.” Three things to look for:
- Where the data is being held
- The processes and policies employed by the 3rd party
- Any risk of breaches between the systems
4. Human Resources: “Under GDPR, many organizations are required to have a data protection officer who reports directly to the board of directors. We are seeing in many organizations that the CFO is taking on this position,” says Heyes. It is also important to note that GDPR applies to staff resident in EU countries. This means you need to be aware of the organization’s responsibilities for employee data.
5. Budget: Nothing happens without time and money, so it’s important to note that additional dollars are going to need to be allocated to staff education on GDPR and preparation for May 25, 2018.
The introduction of the GDPR is not just another regulation that requires compliance, it is an opportunity for organizations to review their data hygiene status and policies. By adopting recommended processes and achieving greater transparency with data, the GDPR aligned association will engender greater trust with members and customers by demonstrating a responsible attitude to personal data.
The Trust bridge (www.thetrustbridge.com) is a leading authority on data protection and the GDPR, security issues with experience across a number of sectors including Finance, Telecoms and the Public Sector.
Join AssociationTRENDS for a special webinar on January 31: GDPR – the Key Principles, Implications, and Expected Impact on Tax-Exempt Organizations in the U.S. to learn more about how this regulation will affect associations and what you need to do to prepare.