On May 25, 2018, the General Data Protection Regulation (GDPR) becomes law in all EU member states. You may think it doesn’t affect you, but indeed it may if you are an international organization or have contacts in your database based in the EU. It relates to the privacy and security with which you manage the records in your control.
GDPR and associations
The party line is that you will need to comply with these regulations that are a part of this law beginning May 25 or face the possibility of penalties. The reality is it may not be as dire as that, but you do need to learn about GDPR and how it affects your organization.
enSYNC will be hosting a webinar on March 15 to discuss the implications of GDPR, but in the meantime, you should get prepared by learning all you can about the law and taking some proactive steps.
While in practical terms, GDPR applies only to contacts you may have in EU countries, it is an opportunity for you to tune up your privacy policies for all database records – and that’s not a bad thing. With data breaches prevalent and attracting attention, with the public concerned about their privacy and the security of their personal information, it is worthwhile for you to adopt some strict privacy policies. GDPR helps move you in that direction.
The Basics of GDPR
First a few definitions of the entities covered by GDPR:
Data Subject – This is the owner of the data, the member whose personal data you are keeping.
Data Controller – This would be your organization. A data controller is defined as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” Data controllers have the obligation to oversee the rights of the data subjects and also to report data breaches.
Data Processor – This may be your organization as well, but it may also be someone you outsource to. As stated in the law, it is “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” In other words, while the controller is the entity that makes decisions about processing activities, the processor is any entity contracted by the controller for working with the data. This may extend to any cloud service providers who are storing the data on your members.
In a nutshell, GDPR is all about protecting and securing the rights and privacy of data holders. To preserve privacy, you must:
- Only process data for authorized purposes
- Ensure data accuracy and integrity
- Minimize exposure of identities
- Implement data security measures
These are the rights conferred upon the data subjects (again, these would be your members).
Right to be informed
Right of access
Individuals who want to review their full record, may fully scrutinize the data you store on them.
Right to rectification
Furthermore, they have the right to correct any incorrect information stored about them.
Right to erasure
There are several reasons why members can request erasure of their personal data: it’s no longer necessary for you to hold it, they withdraw their consent for you to process their data, the data relates to a child, or you have unlawfully processed it.
Right to restrict processing
This is similar to the above reasons.
Right to data portability
Individuals can request and reuse data held by you and you must provide it to them in a commonly used format that they can access.
Right to object
If you use data for direct marketing, individuals have the right to object to this usage.
Right not to be subject to automated decision-making
Data subjects have the right to object to the use of their data for the purposes of data decision making. They can object to using variables such as purchasing habits, location, or basic demographics in this way.
Think About These Operational Impacts
You will need to ensure your data processing standards have appropriate security.
Some of these might include pseudonymization and encryption of personal data, the ability to ensure ongoing confidentiality, and a process for regularly testing this.
Pseudonymization is the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately. It is a privacy-enhancing technique where directly identifying data is held separately and securely from processed data.
Pseudonymization is different than encryption and encryption must also be used to keep data secure.
You need to have an identified Data Protection Officer.
This might be an individual on staff, or in the case of a smaller group, you might outsource this to a firm who could perform such duties as keeping current and advising on data protection standards, monitoring compliance with GDPR, and serving as the contact point for issues relating to the processing of personal data.
Ensure that consent is given for the use of the processing of data.
Under the GDPR, consent must be “freely given, specific, informed and unambiguous.” This consent may include ticking a box on a website or another statement or conduct that clearly indicates assent to the processing. “Silence, pre-ticked boxes or inactivity,” however, is not sufficient to confer consent.
Note that “profiling” through the use of automated decision making is restricted
While marketing automation is not stated as a term that is strictly prohibited, GDPR does make several references to taking action in automated ways. Under Article 4(4), data processing may be characterized as “profiling” when it involves “(a) automated processing of personal data; and (b) using that personal data to evaluate certain personal aspects relating to a natural person.” It is worth reading these provisions in a thoughtful way, so that you are avoiding profile-based automated decisions.
Data subjects have the right to request their personal information
And you must be able to comply by transferring that data in a commonly used format if requested.
- Read the GDPR law to ensure we've covered the provisions that match what you need to know about at your association.
- Examine your database for records from EU countries. Be sure to review what you personally identifiable information you hold in your AMS, LMS, email software databases, Excel files, and all other systems where you store names and addresses.
- Update your website privacy policies. You can find templates online.
- Review your encryption techniques to ensure they are in compliance.
- Identify and name your Data Protection Officer.
There are many facets to this new regulation. We encourage you to read the law and make your own interpretations so that you can take the appropriate steps to protect your organization.