November 6, 2018
Back in the spring, association forums and blogs were buzzing about GDPR myths and facts as the May 25 deadline approached. Five months later, crickets. So, why are we talking about GDPR now and why should you care about GDPR if you’re not a global organization? Because federal regulations are inevitable, so it’s wise to prepare your association for new data privacy laws.
The purpose of GDPR, the European Union’s General Data Protection Regulation, is to return control of personal data back to the individual. The first paragraph of the GDPR states: “The protection of natural persons in relation to the processing of personal data is a fundamental human right.”
The GDPR chapter on the “rights of data subjects” include the:
If you hold or collect data from any EU citizen, even one record of a member, customer, attendee, student, or prospect who’s an EU citizen, you must comply with GDPR. Ask around on ASAE Collaborate or SAE communities for referrals to consultants who can help you set up the data privacy policies and procedures you’ll need going forward.
Association consultant Terrance Barkan said in a Collaborate discussion:
“GDPR compliance is not as onerous or difficult as most people expect, however, you need to do a proper analysis to determine what compliance looks like for your organization.”
The U.S. doesn’t have a universal privacy regulation except for heavily regulated industries such as banking and healthcare. But some type of privacy regulation is likely, considering the outrage over recent Facebook and Google data breaches.
Tech companies like Amazon, AT&T, and Apple have spoken to Congress about the need for a federal privacy law. They want to get ahead of any Congressional action so the law won’t be as onerous as the GDPR. Privacy advocates have also testified before Congress. Naturally, they envision a different type of regulation.
The momentum is building among lawmakers to draft data privacy legislation. Sen. Richard Blumenthal said:
“Until there is an effective enforcer at the federal or state level, with federal standards backed by strong resources and authority, consumers will continue to be at risk.”
The Washington Post surveyed cybersecurity leaders and found “they favored federal legislation because it would help replace the patchwork of state laws that govern data breach notification in the United States.” Rep. Jim Langevin has already introduced legislation to create a national breach notification standard. “This is bad for business and bad for consumers, who are treated differently depending on where they live,” he said.
If the U.S. adopts a privacy regulation, it probably won’t be as complicated and expensive as GDPR. But some states have already taken action. The California Consumer Privacy Act of 2018 (CCPA)—called GDPR-lite by many—goes into effect on January 1, 2020.
The CCPA is the toughest privacy law in the country. It doesn’t go as far as GDPR in terms of requirements and penalties, but it gives consumers many rights concerning their personal information. The CCPA applies to organizations that meet or exceed one of the following thresholds:
Depending on your association, you might not have to deal with GDPR or CCPA now, but it’s only a matter of time before federal (or state) regulations affect you too. Get out in front of this issue so you aren’t under duress later. Barkan said:
“It is far better and easier for an organization to adopt best practices and treat all of their data in a similar fashion than it is to try and have unique systems and processes for different jurisdictions.”
1. Treat this as an opportunity to implement privacy-by-design data practices and standards. Start by putting together a data governance team — a cross-functional team of representatives from departments that collect and use data.
2. Review how your association collects and uses data. In response to GDPR, some associations are creating a data inventory and data flow maps to help them understand how data comes into their organization and how data is used throughout their organization.
3. Develop a data governance plan with policies and practices that take the individual’s privacy into consideration. For example, you may decide to no longer collect data you don’t use, purchase third-party lists, or add business card contact information to your database.
5. Your organization’s disaster recovery and business continuity plan should include a data breach response plan. All states currently require data breach notifications although none are as stringent as GDPR’s 72 hours.
6. Make sure everyone on an email list has opted in to that list. Give members the ability to subscribe and unsubscribe from specific newsletters and types of emails. But, remember, interests and preferences change over time so encourage them to review their selections at least once a year.
7. Review your contracts with technology partners to make sure you can comply with an individual’s right to object, right to be forgotten, and with data breach notifications. Ask your technology partners how they handle your data as a processor, and how they will assist your association as the controller of data.
8. Take this opportunity to provide leadership to your members. Keep them educated about privacy regulations they need to comply with now and will likely have to comply with in the near future. Many of your members may not have the resources to hire consultants so consider providing webinars, checklists, tip sheets, case studies, in-person roundtables, and a data privacy discussion group in your online community.
Data privacy is part of business as usual now. MemberSuite is helping clients comply with data protection regulations, and your association can help your members and member companies stay in compliance by sharing smart data practices with them.
To learn more about GDPR and smart data privacy practices, check out these resources from ASAE: