GDPR Compliance in the Data Economy

2021 saw a 7% increase in GDPR compliance and marked the first year regulators started laying down the law after the initial three-year grace period.

In response to the ramping up of fines and penalties for compliance and consent management violations, as well as the digital demands of the emerging data economy, greater adoption and oversight are expected in 2022-2025.

Increasing GDPR enforcement provides a lens into the key areas that associations should focus on in the years ahead, as well as the data processing activities that will shape future guidelines, public policy, and digital trends.

Plus, the rollout of the new EU's AI regulatory agenda, which we'll discuss in this article, is planned for 2022, and the deadline to transition to stronger data-sharing contracts is on Dec. 27, 2022. The message is clear, you can no longer remain in the foothills of your compliance journey.

Fact is, compliance is no longer about ticking the boxes to avoid fines. Escalating pressures and public expectations have inspired more proactive data privacy experiences in order to build bonds of trust and transparency with your members and audience online.

Quick Recap of GDPR Impact on Associations

The General Data Protection Regulation (GDPR) 2016/679 of the European Union (EU) became mandatory in 2018. While it's a European statute, the GDPR impact on associations, societies, and non-profits in the United States and elsewhere cannot be ignored.

The GDPR applies new regulations to the processing of personal data that encompasses every organization that stores or handles data of individuals across 31 countries—all 28 EU member states as well as Iceland, Norway, and Liechtenstein, otherwise known as the European Economic Area (EEA).

The dense and complex GDPR law applies to any associations that handle the personal data of an EU resident. To ensure proper compliance, it's helpful to understand the following terms :

• Personal data - any information that relates to an identified or identifiable natural person (the ‘data subject’). This includes a name, an identification number, location data, an online identifier or to data that relates to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Data Subject - an identifiable natural person.
• Data Controller - the entity who determines the purposes and means of processing data.
• Data Processor - the entity which processes the personal data on behalf of the Data Controller.

What these definitions mean is that most of the types of data acquired, held, and used by your association (member identities, donor information, prospect information, sponsor information, event attendees, etc.) are considered personal data subject to GDPR oversight.

Plus, any entity contracted by your association to acquire and handle such data (example: an online database management application or website host where such data is collected) is considered a Data Processor. Your association is the "Data Controller" because you're really governing the application of that personal data.

In other words, your association is also responsible for the way your third-party vendors (e.g. AMS, LMS, newsletter, etc.) and partners handle personally identifiable information (PII) collected by your organization. This requires obtaining direct, informed consent from your users about the storage and handling of their information by these third parties.

Top 3 Factors Affecting Compliance for Associations

Under GDPR regulations, EU residents have the right to access their personal data, the right to correct incomplete or inaccurate data, the right to completely delete their personal data, and the right to restrict the processing of their personal data.

Organizations that store and use such personal data have 30 days to respond to individual requests regarding personal data and provide access to that data. Any data breach must be reported to EU data protection agencies within 72 hours.

Proper data security involves personnel, processes, and technology. The GDPR impact on associations is huge, and they must identify the biggest risk exposures specific to their organization and start the compliance process there.

Factor #1 Personnel

The weakest link in any data security protocol is always your strongest asset - your personnel. Through inadvertent action or simple mistakes, data can be compromised by how personnel handle procedures and/or fail to completely follow through with fulfilling security requirements.

All staff charged with handling personal data should be trained on the changes required by GDPR regulations and how to maintain ongoing compliance including how to stay consent compliant, how to audit your technologies and vendors, what's involved in proper data sharing, transparency best practices, etc.

Factor #2 Processes

All processes for acquiring, storing, handling, and using personal data will need to be reviewed, including all third-party vendors (the Data Processor) the association may use. Special care must be taken to review all provisions of GDPR compliance and how they apply to every way the association and its partners handle data in order to adopt compliant processes.

For example, it's imperative that opt-in consent of third-party and first-party tracking cookies is “freely given, specific, informed and unambiguous” given by a “clear affirmative action.” In other words, you can't “pre-ticked boxes" or accept inaction by the user as being within the handrails of legal consent.

Your association is responsible for providing notice and obtaining consent for each technology in your digital ecosystem, including obtaining intentional, explicit consent for any outside parties that may have embedded tracking pixels or tags on the pages of these platforms to monitor website behavior.

Factor #3 Technology

The technological aspects of data security involve acquiring personal data, storing it, and transferring it to association shareholders charged with using it. GDPR stipulates that personal data must be processed in an appropriately secure manner including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage by the use of appropriate technical or organizational measures. This applies to both associations and their partners that handle personal data.

You can also use consent management platforms today to solve those opt-in headaches we discussed above in the "Factor #2 Processes" section. There are tons of tools today that conduct ongoing audits and live scans of all technologies you use, including the third-party redirect chains and non-secure tags, to eliminate the risk of compliance gaps.

Many of these tools also allow you to tailor your cookie consent messaging and record opt-in statistics. However, the features available really depend on the tool in question and your organization's consent requirements.

What’s the Risk of Non-Compliance?

Penalties and fines for non-compliance can be as high as 4% of annual revenue or €20 million, whichever is greater. Corrective measures range from simple warnings to temporary limitations of data processing to administrative fines and suspension of data flows.

Supervisory authorities established by the GDPR have advisory, investigative, and corrective powers to ensure privacy and consent compliance with the GDPR.

Here are the details of potential fines that can be imposed on your organization:

• a fine of up to €10,000,000, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
• a fine of up to €20,000,000, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year for the most severe forms of a breach.

Beyond the eyebrow-raising financial consequences, you also risk exposure to:

• regulatory enforcement and private litigation
• remediation costs
• reputational damage
• business continuity disruptions

IBM’s annual Cost of a Data Breach Report 2021 found that data breach costs rose from $3.86 million to $4.24 million. The costs of data breaches have been rising for years, but 2021 was by far the highest average total cost in the report’s 17-year history, mainly because of the increase in remote work and distributed working environments.

Regulators haven’t just been targeting the big hitters either. Substantial fines are increasingly being levied on smaller organizations as well.

Simply put, punitive measures will cause a major GDPR impact on associations that are unable to comply within the specified timeframe. Regardless of the size of your organization, improving your cyber policies around information security and data protection is imperative to dodge rising non-compliance penalties and the aftermath of data breaches.

Data breach notification

If your organization is affected by a personal data breach, you must report infringement asap to avoid penalties.

You have a maximum of 72 hours to report the details of the data breach to the Department of State’s Privacy Office or appropriate supervising authority.

This data breach notification should include the amount of PII affected, the potential impact, and how your organization responded. You must also inform everyone impacted in the appropriate manner and turnaround timeframe.

GDPR Compliance vs. New AI Regulatory Agenda

The European Data Protection Authorities (DPAs) are laser-focused on addressing the risks that AI/ML technologies pose on privacy rights without curtailing AI innovation and funding.

However, there are some discrepancies between the EU's proposed AI Regulation and GDPR personal data processing guidelines. While it's possible to deploy AI Regulation in a manner consistent with GDPR protocols, the extent to which AI fits into the GDPR framework is debatable.

Namely, the GDPR doesn't provide sufficient guidance on preventive, risk-based requirements for storing and processing special categories of personal data. The new AI Regulation attempts to shed light on this misalignment by allowing for the use of pseudonymisation and advanced privacy measures.

Pseudonymisation is a de-identification process that uses encryption to reduce the chances of linking PII datasets to the individual. Pseudonymisation supports lawful data repurposing, sharing, and combining as defined by the GDPR, so it can technically be used when complete anonymisation isn’t possible.

Future of GDPR-Compliant AI Regulation?

The new AI legislation, which is still in negotiation, seeks to establish a future-proof AI legal framework. The AI Regulation is expected to take effect at the end of 2022 as part of the EU’s Artificial Intelligence Act (AIA).

GDPR-compliant AI prescriptions may need to be expanded and made more concrete if AI is deployed in alignment with EU's privacy law.

AI-driven marketing and analytics tools already have a huge influence in every sector of industry, including the association space. And the uptake of AI will only become more pronounced.

Plus, automation and security artificial intelligence (AI) is the best weapon against data breaches. Security AI has the biggest cost-mitigating effect, saving organizations up to $3.81 million in one year. And in today’s data economy, AI-driven predictive analytics is key to monetizing your data.

Regardless, the contrasts between GDPR compliance and AI compliance shouldn’t be too consequential as the regulations will likely align naturally over time in order to further transparency, security, and data governance while also improving user experience, personalization, and operational efficiency.

GDPR Compliance vs. China's PIPL

China's long-awaited Personal Information Protection Law (PIPL) went into effect on November 1, 2021, adding another layer of complexity with respect to compliance.

This serves as a landmark data protection law for any organization that handles personal data in China.

PIPL is the first comprehensive legislation covering personal information that the Standing Committee of China's National People's Congress has passed to date. Per Article 1, PIPL aims to:

• "protect the rights and interests of individuals"
• "regulate personal information processing activities"
• "facilitate reasonable use of personal information"

From a legal standpoint, the PIPL largely resembles the GDPR with respect to personal information rights and the definition of consent. However, the PIPL requires separate consent for certain types of data processing.

More notably though is that PIPL also allows organizations to take a risk-based approach towards privacy compliance.

Considering GDPR's absence of a risk-based compliance framework, PIPL could be a game-changer for the safe deployment of AI. It's likely that PIPL could offer a basic conceptional structure for AI deployments under the EU's proposed AI legislation, as well as for future regulations requiring a risk-based approach towards data privacy practices.

5 Steps to GDPR Compliance

1. Work with marketing and IT to gain greater visibility into your digital ecosystem and then map out all sites and technologies, including where, how, and when tracking pixels fire. You may consider leveraging an automated compliance solution to assist in this audit process, but it's still important to talk to your team and all players involved to improve transparency.
2. Analyze the data that you, your vendors, and their partners are collecting, as well as how it's collected and why.
3. Assess the legality of all data collection activities, and develop a process for obtaining permission to collect personal data when there's no valid legal basis.
4. Establish internal processes and infrastructure to accommodate the variety of data privacy rights under the GDPR. One example is to create a dedicated privacy channel where members and online users can submit requests.
5. Ensure your website and all software systems uphold "data protection by design and by default" measures under GDPR mandates. Transparency and user control over personal data should be prioritized from the get-go.

Wrap Up: GDPR Compliance for Associations

Engaging in “privacy theatre” – doing the bare minimum to comply with GDPR and avoid fines – is no longer enough.

GDPR compliance and proactive privacy programs are critical to leaning into your organization’s digital transformation, preparing for potential disruptions down the road, and harnessing data’s economic power in the global digital ecosystem.

Want to better understand where your organization stands on compliance and cybersecurity in a changing world?

At Cimatri, our ‘Disruptioneers’ are experienced association leaders who get their hands dirty with all measures pertinent to reaching compliance with GDPR such as policy governance, digital strategy, workforce culture, service design, and association IT.

Take our security assessment to measure your exposure and level of compliance and get a lens into factors that can minimize your security vulnerabilities and potential financial damages.