What is the “Right to be Forgotten”?
The European Union’s General Data Protection Regulation implementation date is 2 months away. On May 25, 2018, the GDPR goes into effect and impacts “all companies and organizations processing the personal data of subjects riding in the union, regardless of the companies location” according to the official GDPR website, www.eugdpr.org.
In light of these changes coming into effect so soon, Association TRENDS borrowed Helen Anne Richards article, Could you Honor a Member’s Right to be Forgotten?, originally posted on www.ReviewMyAMS.com on August 3rd, 2017. Richards gives a thorough overview of this important regulation, the questions you should be asking, and what is at stake for your association.
Here are three easy questions about your data security. I know. It’s not the sexiest thing in the world, but it’s really important.
1. If a member asked you to provide all the personal identification information you have regarding him or her, could you do it?
2. If a member asked to be “forgotten” in your system, could you accommodate the request and delete all mentions of that individual?
3. Could your third-party vendors handle similar requests?
Although these questions may sound irrelevant to your business today, they will become increasingly important on May 25, 2018, the implementation date for the European Union’s General Data Protection Regulation.
Associations with international members will certainly be affected, but even if you don’t do much business in the EU or have international members, you still need to pay attention. I’ll explain why in a minute.
Implementation of the GDPR is months away, and conversations buzzed about it at AMS Fest in Washington, D.C., in 2017. Most association executives didn’t know exactly what preparations to make or if they needed to prepare at all. Many didn’t have a clear understanding of the new regulations, perhaps because the regulations are written in a subjective language, using words like “reasonable” without defining what reasonable means. Only one tech company rep assured us that he was ready for the change.
What is the GDPR?
The GDPR is a set of strict new rules, prompted by massive data breaches, to protect EU citizens and their personal information. In addition to regulating companies in the EU, however, the GDPR also applies to data collected on EU citizens by companies operating outside the EU, including U.S.-based associations.
What organizations are affected by the GDPR?
According to the official GDPR website: “The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.” That’s us, folks.
What is “personal data”?
Personal data is any information related to a natural person or “data subject,” that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, racial or ethnic data, political opinions, health and genetic data or a computer IP address, cookie data and RFID tags.
What happens if you have a security breach?
Companies must report data breaches that pose a risk to individual information within 72 hours and to affected individuals in a timely manner. This is quite a change from current standards that allow several months for the breach to be identified, examined and reported.
What are the penalties for non-compliance?
Companies can be fined up to 4 percent global turnover or €20 million! That’s the maximum penalty, and fines can be tiered, depending on the determination of individual cases.
What is the Right to be Forgotten?
A person may also ask to be “forgotten” in your system. With such a request, you would have to remove all personal information from all your systems. It is unclear how a company would handle historical data, but legally required data, such as HIPAA health record requirements, would not be affected.
Vendor Responsibility
It is also unclear how this might change the responsibility a company has for the information provided to a third-party vendor, such as a payroll processor, AMS or CMS. It’s worth a conversation with any outside vendors you currently use to determine what steps they are taking to meet the new regulations.
What if You Don’t Do Business Internationally?
You can’t ignore this issue. Kiki L’Italien, CEO of Amplified Growth and moderator for the GDPR session at AMS Fest, reminded participants that data security is increasingly important here, as well as abroad. Massive data breaches in companies like Equifax heighten the importance of security issues. She said that she expects the U.S. to consider regulations similar to the GDPR in the near future. Staying current with EU requirements, and possibly upgrading your security measures, can only help your company in the future.
Finally, the best advice anyone can give you about this topic is to learn, learn, learn. It seems that the EU is primarily interested in the processes a company has in place to protect personal data. Establishing systematic methods to collect, handle and distribute data can go a long way to helping you stay compliant with the new regulations. It may require re-thinking how you process data, but ultimately may help you streamline and modernize your workflows.
Helen Anne Richards is a freelance business writer connecting associations and the companies who serve them. She is a former association exec and holds the CAE designation, as well as an MA in journalism. Read more about her at www.harichards.com.
