When the General Data Protection Regulation (GDPR) was officially implemented in May 2018, many organizations and associations were not fully prepared for the fundamental changes in the management of personal consumer information it heralded. While the regulation is initially set to encompass 31 countries from the European Economic Area (EEA), it is only a matter of time before other regions across the world start implementing it to harmonize the collection and storage of Personally Identifiable Information (PII).
Essentially, GDPR serves as a reminder for all associations – whether their customers are located in EEA or outside –that they need to start devising ways to build long-term member trust. They must reassure their members their data is secure. They need to convince their members their confidential information belongs only to them, and that the associations have set in place data hygiene mechanisms. As per GDPR, members of associations now can access their personal data stored by the former from anywhere, correct incomplete data, request for deletion of the same, and also forbid the association from using this data.
Key GDPR concerns for associations
For associations and nonprofit bodies, this poses an interesting challenge. As the processing of any member data now requires explicit opt-in consent, traditional sales and marketing activities that associations have performed are now rendered obsolete. For instance, associations need to be very careful about the information they ask members to fill on website forms. Potential members from EEA could be among such visitors, and if the association does not take adequate care to protect this data, it could find itself facing massive non-compliance fines. Previous practices such as purchasing email lists or getting members to refer new members may also need to be revisited.
Associations also need to define specific sets under which specific member information falls. Basic data such as name, photo, email address, IP address and more, which were previously considered easily obtainable and transferable, are now covered under the scope of GDPR. Hence, associations must now store and transfer this data in an organized and accurate manner. Moreover, GDPR compliance for associations now runs across all organization levels –from senior management to team leaders and their staff – and this presents associations with a critical challenge to overcome.
While this may lead to some changes in the way employees review existing business processes and applications, GDPR will require a more comprehensive shift in the mentality of association staff when they are communicating with members. If they have to send members a newsletter about recent activities or industry updates, they will need to check for clear opt-in. If they collect information that is relevant for annual meetings then they will have to explicitly state that such information will only be used for the purpose of such meetings. In effect, associations will have to initiate fundamental changes in how they expand their membership, and run programs.
It is no longer enough for associations to assume that since their members agreed to a certain action, they are compliant with other activities as well. The simple rule associations should remember is this –if a member did not request it, they must not provide it.
The road ahead for GDPR compliance
The very first step associations must undertake is to conduct an in-house risk analysis to see where the gaps lie with regard to data collection and management. Many associations use multiple software systems and technologies, so they now face the formidable task of aligning these tools under the GDPR directive and consolidating all the member information they possess. They need to start by asking the following key questions:
- What kind of data does the association own?
- Where has that data originated from?
- How is this data being processed?
- What was the purpose behind collecting this data?
- Is the data really needed?
- Was member consent clearly provided?
In some cases, associations may have to revamp their privacy policies and notices to ensure GDPR compliance. For this purpose, data analytics can be a savior for them by providing unique insights into member consent, preferences and interests – all from a centralized and consolidated dashboard. Associations have to quickly sort through a lot of data now, and effectively doing so can enable them to devise successful and highly targeted marketing campaigns.
In other instances, associations will need to revisit their vendor contracts and member agreements as well, to carefully study the language used therein. They will need to insert new clauses to ensure all member data is stored and managed in a manner that is compliant with GDPR. They will also have to contain data breaches as per relevant mitigation mechanisms and best practices, in the event they do occur.
Associations worldwide now must realize that GDPR and data privacy compliance is an ongoing activity that has only just begun. Individual data rights are sure to see further adaptations as time goes by, and GDPR merely represents the first stage of questioning the nature and source of personal member information. Associations should, hence, look at developing policies of ‘Privacy by Design’ to provide data security at every stage, and not as an afterthought. This will help them boost member trust and loyalty, and achieve their long-term membership objectives.