What You Need to Know about General Data Protection Regulation
If your association has members from the European Union (EU), does business in the EU, has vendors from Europe, or has residents from EU nations attending events in the U.S., you need to know about the General Data Protection Regulation (GDPR).

GDPR, which goes into effect on May 25, 2018, was adopted by the European Parliament to protect the privacy rights of EU citizens. It sets rules on how companies and organizations, including associations, must process personal data of EU citizens. What is processing? A better question might be, what isn’t processing. Processing refers to anything that is done to, or with, personal data, including collecting, storing, moving, deleting, using it for marketing or other purposes, and even viewing it.

The regulation does not start and stop within the boundaries of the EU; it applies to EU residents wherever they are in the world. So, if you offer goods and services to EU residents—like meetings, publications, webinars, etc.—you must comply with GDPR.

Personal data, as defined by the rule, is anything which makes the individual identifiable, either directly or indirectly. This includes names, mailing addresses, social security numbers, driver’s licenses or other IDs, photos, email addresses, social media posts, bank account information, medical information, and IP addresses, among others. Associations have this type of data on their members, prospects, former members, sponsors, and meeting attendees. Even if they just hold the data in their systems, let alone use it for marketing or other purposes, they must comply with GDPR.

There are six categories to lawfully process data – consent, legitimate interest, performance of a contract, legal obligation, vital interest, and public interest. The latter four are self-explanatory, but the two that will be of most interest to associations are consent and legitimate interest.

To process most personal data, associations must either get consent from the individual, or prove legitimate interest. Legitimate interest, as it relates to associations, may be when members or meeting attendees willingly offer up their information. When they give personal data to become members or register for a meeting, they are, in effect, giving their consent and that’s likely going to be considered legitimate interest, experts say. “We likely think that legitimate interest is going to be your lawful basis to continue to use that personal data for association related mailings, newsletters, promotions for conferences, webinars, and other purposes,” said Barbara Dunn O’Neal, partner at Barnes and Thornburg, speaking at a webinar on the subject. “In essence, someone who is a member of your organization is telling you, ‘here's my data, give me my service.’”

But if the association, for example, took that information and gave it to a third party, or used it for marketing purposes in a way that’s not related to the original purpose, then that could require consent from the individual. Consent must be “freely given, specific, informed and unambiguous,” the rule says. This means that pre-ticked boxes, where consent is assumed with no action or reply by the individual, or small print that asks for general consent for personal data usage, is not allowed. Consent forms must specifically outline what you are asking for, like: Can we use your data to let you know about future events? Or, can we use your data to conduct a survey? The language must be easily understood.

Failure to comply with the rule could result in fines or legal wrangling with a foreign government. The fines could be significant but are determined on a case-by-case basis, depending on the violation, circumstances, and country involved.

As stewards of the organization, association boards must make sure staff is prepared. Some questions to ask staff might be: What percentage of our membership is based in the EU? Have we conducted an information audit? What are other associations like ours doing about GDPR? What changes are staff recommending? What resources does staff need to comply? What is the timeline for development of an implementation plan by the association? Do we have GDPR agreements with third-party companies? Also, GDPR does require organizations that process lots of data to appoint a Data Protection Officer, so that’s another point to explore with staff. While this wouldn’t apply to most associations, O’Neal suggests that an individual or team should be charged with leading the effort.

O’Neal said many associations make the mistake of thinking GDPR is an IT issue, but it’s more of a documentation issue that encompasses all departments. “The associations I have worked with over the last several months have really worked to get every department head involved in this process,” she said. So, make sure staff is educated on and sensitized to GDPR, and that it has all the resources it needs to comply. It’s a complex regulation that goes far beyond privacy protections in the U.S. and encompasses much more than can be covered in one article, so it’s also best to consult with your attorney.
  Facebook  LinkedIn  Twitter  Send to a Friend


subscribe button
feedback button
Board Forward is published 10 times a year by SmithBucklin, the association management and services company more organizations turn to than any other. SmithBucklin has served volunteer board members for 70 years.


Copyright © 2021 SmithBucklin. All Rights Reserved.