What is the GDPR Impact on Associations? What you need to do and what will happen if your not ready?
The General Data Protection Regulation (GDPR) is Regulation (EU) 2016/679 of the European Parliament and of the Council dated April 27, 2016. After its two-year implementation period, the GDPR will be applicable from May 25, 2018. While it is a European statute, the GDPR impact on associations in the United States and elsewhere cannot be ignored.
The GDPR applies new regulations to the processing of personal data that encompasses every entity that stores or handles data of persons across 31 countries—all 28 European Union (EU) member states as well as Iceland, Norway, and Liechtenstein, otherwise known as the European Economic Area (EEA). An association in the United States that handles data of clients in Europe must adhere to GDPR considerations.
Basic GDPR Impact on Associations
In order to help ensure GDPR compliance for associations, it is helpful to understand certain terms.
- Personal data – any information that relates to an identified or identifiable natural person (the ‘data subject’). This includes a name, an identification number, location data, an online identifier or to data that relates to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Data Subject – an identifiable natural person.
- Data Controller – the entity who determines the purposes and means of processing data.
- Data Processor – the entity which processes the personal data on behalf of the Data Controller.
According to these definitions, it is obvious that most of the types of data acquired, held, and used by associations (member identities, donor information, prospect information, sponsor information, etc.) is considered personal data. Furthermore, any entity contracted by the association to acquire and handle such data (example: an online database management application or website host where such data is collected) would be considered a Data Processor. Because the association is the entity which determines the use and means of processing personal data, it would be considered a Data Controller.
Factors that Affect GDPR Compliance for Associations
Under the new regulations, EU residents have the right to access their personal data, the right to correct incomplete or inaccurate data, the right to completely delete their personal data, and the right to restrict the processing of their personal data. Organizations that store and use such personal data have 30 days to respond to individual requests regarding personal data, and to provide access to that data. Any data breach must be reported to EU data protection agencies within 72 hours.
Proper data security involves personnel, processes, and technology. The GDPR impact on associations is huge, and they must identify the biggest risk exposures specific to their organization and start the compliance process there.
The weakest link in any data security protocol is always your strongest asset – your personnel. Through inadvertent action or simple mistakes, data can be compromised by how personnel handle procedures and/or fail to completely follow through with fulfilling security requirements. All personnel charged with handling personal data should be trained on the changes required by GDPR regulations and how to maintain ongoing compliance.
All processes for acquiring, storing, handling, and using personal data will need to be reviewed, including all third party vendors (the Data Processor) the association may use. Special care must be taken to review all provisions of GDPR and how they apply to every way the association and its partners handle data in order to adopt compliant processes.
The technological aspects of data security involve acquiring personal data, storing it, and transferring it to association shareholders charged with using it. GDPR stipulates that personal data must be processed in an appropriately secure manner including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by the use of appropriate technical or organizational measures. This applies to both associations and their partners that handle personal data.
Punishment for Violating GDPR Considerations
Punitive measures will also cause major GDPR impact on associations who are unable to comply within the specified timeframe. Supervisory authorities established by the GDPR have advisory, investigative, and corrective powers to ensure compliance with the GDPR. Corrective measures range from simple warnings to temporary limitations of data processing to administrative fines and suspension of data flows. Fines can be imposed in addition to other corrective measures, and can be:
- a fine of up to €10,000,000, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
- a fine of up to €20,000,000, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year for the most severe forms of a breach.
CIMATRI Can Help Mitigate the GDPR Impact on Associations
CIMATRI helps association and non-profit leaders manage change through organizational and digital transformation. Our ‘Disruptioneers’ are experienced association leaders who get their hands dirty with policy governance, digital strategy, workforce culture, service design and association IT, all measures pertinent to helping you reach compliance with GDPR considerations. CIMATRI will help you ‘Make Association Things Work in the Real World’. Call (571) 249-2719 or fill out on online contact page today to arrange a consultation.