What is it?
Set to take effect May 25, 2018, the EU General Data Protection Regulation (GDPR) was designed to systematize data privacy laws across Europe, protect the data privacy of EU citizens, and empower residents of the EU with more control over their own personal data, giving them a say about how their data is handled, including what information is used, whether it is transferred to third parties, and when it is erased. At the same time, the legislation takes additional aim at reshaping the way organizations approach data in an increasingly data-driven and digitally expansive world.
Scoped for global inclusion, GDPR affects all organizations, regardless of location, that process or control personal data of EU residents (i.e. data subjects). Under GDPR it makes no difference where your organization is located - what matters is whether or not you have collected, and/or are collecting data, or marketing to individuals living within the EU.
To whom does it apply?
Data Controller: The organization that determines purpose(s) and means of processing personal data. It is the responsibility of the controller to ensure compliance across contracts with processors. Note that, in the association world, associations and professional societies are considered Data Controllers.
Data Processor: An organization that processes personal data on behalf of a controller. Data processors have specific legal obligations and are required to maintain records of personal data and processing activities. Additionally, it is the processor who is held legally liable if /when there is a breach. Note that HighRoad Solution is considered a Data Processor.
What do associations need to know?
Let's detangle each of these areas a bit and make some direct correlations to the association world:
Consent must be expressed, not implied
Essentially, organizations can’t unintentionally or intentionally coerce or deceive their members or non-members into consenting to process their personal data. They must have complete transparency with their constituents in all engagements. This means, they need to:
Users will get more rights over their own data
This impetus of the regulation is to give users more control over and access to their own data. Organizations will need to put processes and policies in place to accommodate the following clauses:
To put some clarity around this, under the new regulation, users will have even more rights over their individualized data whether held in association databases, event databases, or CRMs. The onus is on the organizations to put policies in place to handle—and in some cases—dispute obligation depending on the impact and severity of the requests.
The integrity of privacy policies will be protected
There will be two new critical principles impacting personal data privacy policies, including:
Both principles will require that organizations take a systematic approach when developing new systems or initiating new technology projects to mitigate potential privacy issues.
Organizations will be accountable for security compliance
The GDPR will require a number of organizations to have a Data Privacy Officer (DPO) to own their compliance efforts. Organizations requiring DPOs will include:
DPOs also will be helpful in overseeing a controller’s relationships with vendors who process and store personal data.
What data is protected?
What happens after May 25, 2018 should you fail to comply?
Organizations found to be non-compliant with GDPR are subject to sanctions leveraged by the EU Supervisory Authority include, written warning for first offenders and/or non-intentional noncompliance; regular, periodic data protection audits; and most notably significant fines amounting to as much as 4% of your organization’s global revenue.