What Associations Need to Know About GDPR Compliance
What is GDPR?
The General Data Protection Regulation (GDPR) is the primary law regulating how companies protect EU residents’ personal data. Any association – and association vendor or partner – that handles an EU resident’s data must comply with these new standards, even if the association is not based in Europe. GDPR focuses on protecting personal data that is used by companies and organizations to conduct business and making information about how companies are using personal data more accessible and understandable to individuals.
GDPR was approved by the EU Parliament on April 14, 2016 and goes into effect on May 25, 2018. Check out a brief history of the regulatory events and need for increased data regulation that led to the enactment of GDPR here.
Organizations that operate outside the rules of compliance after May 25 can face heavy fines: up to 4 percent of annual global turnover or 20 million, whoever is greater.
What is the most relevant information for associations?
The regulations are quite detailed (88 pages long), but in short, there are a few areas of compliance most relevant to associations.
Consent.
Users need to provide consent (no automatic opt-in checkboxes) to email communications.
Right to Be Forgotten.
Users have the right to erase their data and become obsolete within the system.
Right to Understand Data Held.
Users have the right to request an organization disclose the personal data it holds on them at no charge to the user.
Security and Privacy Management.
Organizations must have reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure.
Data Breach Notification.
Organizations that process data (e.g. solution providers) must notify the controller of the data (e.g. associations) who then must notify a designated supervisory authority of a personal data breach within 72 hours of identifying the breach. Specific details of the breach such as the nature of it and the approximate number of subjects affected must be provided. Subjects must also be notified as quickly as possible when the breach places their rights and freedoms at high risk.
What will associations want to know from their suppliers?
Associations should undergo an end-to-end examination of all the ways in which they capture, retain and process data about individuals. As part of that analysis, they should look to all of the solution providers that touch or manage data on their behalf to ensure they are complying with GDPR.
Disclaimer:
Association Adviser and Naylor Association Solutions have been working diligently to analyze and understand the GDPR. We are working with industry experts to ensure our approach to compliance meets the standards set forth in the regulation. This article is not intended to be used as legal counsel nor should it be used to determine how the regulation applies to any particular association client. We encourage associations to engage compliance consultants or legal counsel for specific legal advice.
For more information about the General Data Protection Regulation, visit the official GDPR website.