You’ve heard that GDPR is a game-changer for organizations in the EU, but considering US associations collect a wealth of information on members, subscribers and event attendees from all over the world, they too are at great risk! Noncompliance can cost of upward of $20 million+ ¬ and associations need to be well versed on the regulation and the impact it will have on all departments. According to Penny Heyes from TrustBridge “It starts with the senior team, but everyone needs to understand the implications of their day to day activities. For every action that has a relationship to data, especially if it is for an individual, all personnel need to be aware of the implications of that action under GDPR.” Although compliance can save your organization against fines of $20 million+, the fines are not the only reason to do this. GDPR provides an opportunity to upgrade how you collect and house data, in addition to making you more trustworthy to members. Regardless of your reasons, it’s important that you are knowledgeable about this regulation. Here are five things to get you started.
1. Know what it is: General Data Protection Regulation (GDPR) sets guidelines for the collection and processing of personal information for EU- and UK-based individuals. It affects how data is collected, how data is stored, and how organizations communicate with individuals. This regulation does affect organizations who have customers or communicate with EU-based customers.
2. Look at Current Processes: Look at processes around how data is collected, stored and accessed to identify areas of potential risk. This can include privacy policies, forms members, and customers are filling out, and the internal process for communicating with members and prospects after they’ve given you information. It’s also important to ensure members can access and change the data that you have on them and ask you to “forget” them (i.e., remove their data). It’s equally important to understand processes for storing, accessing, and sharing data. This should include understanding how and on what mobile devices that staff is accessing data.
3. Review existing contracts and data. Penny Heyes remarks, “One thing that is very important is to review your 3rd party supply chain (becoming known as the “data ecosystem”) and how they are processing, controlling, and storing data for you.” Three things to look for:
- Where the data is being held
- The processes and policies employed by the 3rd party
- Any risk of breaches between the systems
4. Tech applications. It’s a good idea to start educating on the applications available to help with compliance. Some AMSs and some meeting systems are now introducing features to ensure GDPR alignment – and this should be a question that the association asks of their CRM supplier.
5. Requesting a budget: Nothing happens without time and money, so it’s important to note that additional dollars are going to need to be allocated to staff education on GDPR and preparation for May 25, 2018.
The introduction of the GDPR is not just another regulation that requires compliance, it is an opportunity for organizations to review their data hygiene status and policies. By adopting recommended processes and achieving greater transparency with data, the GDPR aligned association will engender greater trust with members and customers by demonstrating a responsible attitude to personal data.
The Trust Bridge is a leading authority on data protection and the GDPR, security issues with experience across many sectors including Finance, Telecoms, and the Public Sector.
Join Association TRENDS for a special webinar on January 31: GDPR – the Key Principles, Implications, and Expected Impact on Tax-Exempt Organizations in the U.S. to learn more about how this regulation will affect associations and what you need to do to prepare.