Data security and protection continue to make headlines in the United States and abroad, and after four years of preparation and debate, the European Parliament and European Council approved the General Data Protection Regulation (GDPR) in April 2016. After a two-year grace period, the new rules will take effect on May 25, 2018.

The GDPR marks a significant shift in the ways organizations will be required to handle personal data of residents of EU countries, and many associations are just starting to look closely at how the new rules will affect their data protection strategies. During the 2017 ASAE Annual Meeting and Exposition in Toronto, I moderated a discussion—joined by panelists Terrance Barkan, CAE (Globalstrat), Marc Beebe, CAE (IEEE), and Alfons Westgeest (Kellen Company)—to discuss with association leaders why organizations should be paying attention.

What is GDPR?

GDPR was initially developed by the European Commission in 2012 to strengthen and unify data protection across the EU. It includes specific provisions for the handling of personal data exported outside the EU. It imposes mandatory reporting for data breaches, heavier sanctions for noncompliance, revised consent criteria, and much more. Under these rules, any organization that maintains and uses European member or customer data, even if it is hosted in the U.S., will be subject to these regulations.

What Does GDPR Cover?

The regulation covers the processing of “personal data” that relates to “data subjects” by or on behalf of a “data controller.” By definition, “personal data” is any information that relates to an identified or identifiable natural person (the “data subject”). An identifiable natural person is anyone who can be identified, either directly or indirectly, by things like a name, identification number, location data, online identifier, or data that relates to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

Based on this broad definition, it is clear that “personal data” applies to much of the data that associations hold on their members, prospects, former members, sponsors, donors, meeting attendees, and others. Some personal data is categorized as special data by GDPR and is subject to greater restrictions, including data about religious or philosophical beliefs, health, racial or ethnic origin, trade union membership, political beliefs, and sex life or sexual orientation.

Many associations are just starting to look closely at how the new General Data Protection Regulation will affect their data protection strategies.

What Requirements Does GDPR Impose?

GDPR has several requirements for compliance measures and safeguards, including privacy by design and default, data protection impact assessments, and a comprehensive record of data processing for activities and reporting of data breaches.

The principle of accountability implies that data controllers must be able to demonstrate compliance with the following six privacy principles:

• Lawfulness, fairness, and transparency in the processing of personal data.
• Purpose limitation. Personal data is obtained for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
• Data minimization. Data processed is adequate, relevant, and limited to what is necessary.
• Accuracy. Personal data is accurate and, where necessary, kept up to date.
• Storage limitation. Personal data is not kept longer than necessary. However, data aggregated for archiving and research purposes can be kept longer, always subject to safeguards.
• Integrity and confidentiality. Adequate technical and organizational measures must be in place to guard against unauthorized or unlawful processing, loss, damage, or destruction.

GDPR in Action

Associations should be taking steps now to determine what they need to do to comply with GDPR when it becomes effective next year.

First, don’t panic. Determine your association’s level of exposure and ask: How much data should we collect from the EU? Do your due diligence, and start preparing now. You can break this work down into three main areas: understanding the regulation, figuring out a technical solution, and how it will impact your marketing and communication efforts.

Find experts and resources that can help you navigate GDPR. Even if you have in-house counsel, they’re probably not experts in data privacy—let alone GDPR. You’ll likely need some outside assistance. Fortunately, many resources are available online, including some guidelines and related materials published by the European Commission.

Every association needs to assess its situation and risk and take necessary steps to protect members’ data. Having a strong risk management strategy that addresses data management and privacy policies is a good start.