How Has GDPR Affected Association Marketing?
American-based associations don’t usually take notice of data laws in other countries. However, there is one law that you should know about: GDPR.
It’s a European regulation that may affect you. Even if it doesn’t, it provides a data governance model that may make you rethink your approach to member privacy.
What is GDPR?
In May of 2018, the European Union replaced all existing digital privacy laws with a single statute: the General Data Protection Regulation, or GDPR.
The goal of GDPR is to empower ordinary people to protect their privacy and manage their online data. Any organization that operates in Europe must comply with GDPR, or they could face hefty fines, such as the €50 million fine imposed on Google in early 2019.
Why GDPR matters even if you’re not in Europe
When GDPR launched, it caused a lot of disruption for American businesses and websites. Some organizations simply blocked European users rather than risk breaking the new rules.
But over time, organizations have started to become a lot more enthusiastic about the regulations. Some companies have chosen to apply GDPR standards across the board, rather than have separate data policies for Europe and the rest of the world.
That’s because GDPR provides a useful data framework for organizations. These regulations put a lot of power in the hands of individuals and punish anyone who tries to exploit or abuse personal data. When people feel protected by the law, they’re a lot more confident about doing business online.
Even if your association isn’t active in Europe, you should still consider becoming GDPR compliant. Following these rules will help you build trust with your members, and trust can be the foundation of a long and profitable relationship.
7 Things Associations Need to Know About GDPR
GDPR is a complex piece of legislation. It’s designed to cover all eventualities involving organizations that store and process personal data, whether they’re a commercial enterprise, non-profit, or government body.
However, the spirit of GDPR is quite simple: treat people’s data the same way that you hope other people treat your data. Don’t abuse personal data, make sure data is stored safely, and only use data for its intended purpose.
Some of the specific rules of GDPR that associations should know about include:
1. If your digital services are available in the EU, you must be GDPR- compliant
If someone accesses your website from Europe, they are protected by GDPR. This is known as the extra-territorial effect – the European regulator can act against you even if you’re not based in the EU.
It doesn’t matter whether the person viewing your site is purchasing something, or even if they’re a member. You have the opportunity to track and store their personal data, and you could get into trouble if you breach European law.
2. Users have to permit cookies explicitly
When someone visits your site for the first time, you have the option to install a cookie on their system. A cookie is a small piece of code with a tracking ID, allowing you to find out about the people who are viewing your site.
Cookies are vital for analytics, and you can install them without the user ever finding out about it. GDPR outlaws this practice, however, and now you have to explicitly ask each individual for permission before adding a cookie. You usually do this with a pop-up that asks a simple yes/no question.
3. All communication must be consensual
When sending someone a marketing message, all you need is their email address. Under GDPR, you also need their explicit consent. You can’t send emails to people unless they’ve agreed to receive them.
Also, they can withdraw that consent at any time, and you have to provide a straightforward opt-out link that allows them to do so. The upside of this approach is that your distribution list will now only include people who genuinely want your emails.
4. Don’t punish people for saying no
The rules above are all about giving people choices: they can choose whether to be tracked or get marketing emails. But how should marketers respond when people say no?
Under GDPR, you shouldn’t unfairly discriminate against people who opt out. For example, if you have a publicly available webpage, then the user should be able to view it even if they don’t choose to enable cookies.
5. You shouldn’t need a law degree to understand the privacy policy
Most apps and websites have a data policy that you can download. The problem is, these policies are usually written in dense legal jargon and run on for dozens of pages. People rarely read these documents, if ever.
GDPR requires you to publish a simplified version of your privacy policy so that everyone can understand what you’re doing with their data. This document should be short, easy to understand, and offer a meaningful degree of transparency about your approach to data usage.
6. Respond ASAP when someone requests to amend personal data
GDPR gives users a massive degree of control over their data, including the right to have all of it deleted. There’s also an onus on organizations to make sure that all data is accurate and up to date.
To fulfill this spirit of this rule, you have to have excellent communication with your members. They should have an easy way to request that you update or amend their information – ideally, this would be a self-service option on the website. When you receive a request like this, you need to immediately update their personal information on all systems.
7. Deal with breaches immediately
Breaches happen. There are armies of hackers around the world constantly trying to break into secure networks and steal data. All you can do is be vigilant and try to act as quickly as possible once a breach is detected.
Under GDPR, you also have to inform anyone who is affected by a breach. This can be embarrassing and lead to some difficult conversations, but ultimately people have a right to know. Once informed, people can take any action they need, such as changing their passwords on other websites.
Next Steps
Even if you’re not concerned about getting into trouble with European regulators, there’s a lot to think about in GDPR. By following these regulations, you’ll show your members that you respect their privacy and that you can be trusted with their data. What’s more, you’ll be interacting with those who truly are engaged and interested in your programs and thus more likely to register, subscribe, purchase or join your organization!
About Aimee Pagano
Aimee joins HighRoad Solution with 15+ years of integrated marketing and communications experience, primarily in client-facing roles within the association and SaaS space. Her specialties include persona development, content strategy/management, lead gen and awareness campaign development, and website development/optimization.