By: Leslie Schiff on May 11th, 2018
GDPR At A Glance
What is it?
Set to take effect May 25, 2018, the EU General Data Protection Regulation (GDPR) was designed to systematize data privacy laws across Europe, protect the data privacy of EU citizens, and empower residents of the EU with more control over their own personal data, giving them a say about how their data is handled, including what information is used, whether it is transferred to third parties, and when it is erased. At the same time, the legislation takes additional aim at reshaping the way organizations approach data in an increasingly data-driven and digitally expansive world.
Scoped for global inclusion, GDPR affects all organizations, regardless of location, that process or control personal data of EU residents (i.e. data subjects). Under GDPR it makes no difference where your organization is located - what matters is whether or not you have collected, and/or are collecting data, or marketing to individuals living within the EU.
To whom does it apply?
Data Controller: The organization that determines purpose(s) and means of processing personal data. It is the responsibility of the controller to ensure compliance across contracts with processors. Note that, in the association world, associations and professional societies are considered Data Controllers.
Data Processor: An organization that processes personal data on behalf of a controller. Data processors have specific legal obligations and are required to maintain records of personal data and processing activities. Additionally, it is the processor who is held legally liable if /when there is a breach. Note that HighRoad Solution is considered a Data Processor.
What do associations need to know?
- User consent must be expressed, not implied
- Users will get more rights over their own data
- The integrity of privacy policies will be protected
- Organizations will be accountable for security compliance
Let's detangle each of these areas a bit and make some direct correlations to the association world:
Consent must be expressed, not implied
Essentially, organizations can’t unintentionally or intentionally coerce or deceive their members or non-members into consenting to process their personal data. They must have complete transparency with their constituents in all engagements. This means, they need to:
- Explicitly tell them what they’re consenting to in advance of consent
- Avoid making wrongful assumptions about consent
- Avoid inferring that silence, pre-ticked boxes, or inactivity means consent
- Clearly inform their users of necessary consent during the opt-in process
Users will get more rights over their own data
This impetus of the regulation is to give users more control over and access to their own data. Organizations will need to put processes and policies in place to accommodate the following clauses:
- A "right to be forgotten" which requires Controllers to alert downstream recipients of deletion requests
- A "right to data portability" which allows data subjects to demand a copy of their data in a common format
To put some clarity around this, under the new regulation, users will have even more rights over their individualized data whether held in association databases, event databases, or CRMs. The onus is on the organizations to put policies in place to handle—and in some cases—dispute obligation depending on the impact and severity of the requests.
The integrity of privacy policies will be protected
There will be two new critical principles impacting personal data privacy policies, including:
- A requirement to build in data privacy "by design" when developing new systems
- An obligation to perform a Data Privacy Impact Assessment (DPIA) when processing using "new technologies"
Both principles will require that organizations take a systematic approach when developing new systems or initiating new technology projects to mitigate potential privacy issues.
Organizations will be accountable for security compliance
The GDPR will require a number of organizations to have a Data Privacy Officer (DPO) to own their compliance efforts. Organizations requiring DPOs will include:
- Public authorities
- Organizations whose activities involve regular monitoring of data subjects on a large scale
- Organizations who process what is currently known as sensitive personal data on a large scale
DPOs also will be helpful in overseeing a controller’s relationships with vendors who process and store personal data.
What data is protected?
- Personal Data: Broadly defined, personal data is considered to be any piece of information that can be used to directly or indirectly identify an individual, including but not limited: names, photos, email addresses, identification numbers, social media posts, online identifier location data, ip address, etc.
- Sensitive Personal Data: The regulations also prohibit the processing, without consent, of sensitive data such as race, ethnic origin, sexual orientation, political opinions, religion, or philosophical beliefs, trade union membership, genetic data, etc.
- Data Profiling: Characterized as automated processing of some variety carried out on personal data with the ultimate intent to predict and /or influence behavior learning, data profiling is permitted, but there are some requirements that must be respected to ensure the profiling data subjects’ rights.
What happens after May 25, 2018 should you fail to comply?
Organizations found to be non-compliant with GDPR are subject to sanctions leveraged by the EU Supervisory Authority include, written warning for first offenders and/or non-intentional noncompliance; regular, periodic data protection audits; and most notably significant fines amounting to as much as 4% of your organization’s global revenue.