Top Things Membership, Marketing, and Meetings Pros Should Know About GDPR
You’ve heard that it is a game-changer for organizations in the EU, but considering US associations collect a wealth of information on members, subscribers, and event attendees from all over the world, associations are still at great risk for noncompliance upward of $20 million+ under GDPR. Thus, they need to be well versed in the regulation and the impact it will have on all departments. Because marketing, membership, and meetings teams are often collecting member and attendee information as well as regularly communicating with the industry, these teams will be especially affected by this new regulation. “It starts with the senior team,” says Penny Heyes, Chief Commercial Officer at The TrustBridge, “but everyone needs to understand the implications of their day to day activities. For every action involving data, especially if that data is personal about an individual, all personnel need to be aware of the implications of their actions under GDPR.” If you haven’t started planning for GDPR, now is the time. While compliance can keep your association out of hot water, it also presents a tremendous opportunity to create more trust between you and your members and sets your association apart from other organizations by proving that you are responsible with the private information of your members. Here are five things you should be doing.
1. Know what it is: General Data Protection Regulation (GDPR) sets guidelines for the collection and processing of personal information for EU- and UK-based individuals. It affects how member data is collected, stored, and how organizations communicate with individuals. This regulation affects organizations who have customers, members or communicate with citizens residing in the EU.
2. Look at current processes: Once you understand the regulation, look at processes for collecting information from members, subscribers, attendees, one-off purchasers, and prospects. Heyes remarks, “One of the key processes is what we call the DPIA, Data Privacy Impact Assessment. That is an analysis that looks at where the risks are for any data processing and controlling that is going on. And a senior marketing person can start that process.” This could be especially important if you have not received any direction from the executive team as it can illustrate areas of risk.
3. Privacy statements: Look at privacy statements and make sure that the wording is accurate and compliant. While you are at it, look at all your opt-in forms and ensure that you are asking for the proper consent. “People clicking an opt-in box under the new rule is not going to be sufficient,” says Heyes. “What the rule says is that the individual needs to express consent in a very explicit form and that consent needs to be freely given.”
4. The right to be forgotten: Under GDPR, individuals must be able to rescind any consent that they have given. So even if you have a process for opt-outs, you should also have a process for those who have requested that you do not store their data anymore.
5. Look at the data being collected: One of the rules under GDPR is that you must be able to legally justify the data that you are collecting on an individual. “So, what you need to do is to focus on the information that is truly necessary and not information you collect because it’s nice to have it. Stick to the key information that you really need.”
The introduction of the GDPR is not just another regulation that requires compliance, it is an opportunity for organizations to review their data hygiene status and policies. By adopting recommended processes and achieving greater transparency with data, the GDPR aligned association will engender greater trust with members and customers by demonstrating a responsible attitude to personal data.
The Trust Bridge (www.thetrustbridge.com) is a leading authority on data protection and the GDPR, security issues with experience across a number of sectors including Finance, Telecoms and the Public Sector.
Join AssociationTRENDS for a special webinar on January 31: GDPR – the Key Principles, Implications, and Expected Impact on Tax-Exempt Organizations in the U.S. to learn more about how this regulation will affect associations and what you need to do to prepare.
