No More Monster: Operationalizing GDPR
Krista Ferrell, CPPB CPPO
As May 25th grows ever closer, GDPR (The European Union’s General Data Protection Regulation) continues to seem a Goliath for many associations. Non-profits and for-profit companies alike are scrambling for compliance and to meet the needs of their customers in a new way taking on new responsibilities for data security and management. For most, the task can seem daunting and confusing trying to interpret and operationalize the broad law into something that makes sense for day-to-day operation of the association.
I sat the other day talking with one of the Executive Directors here at AMR and she said, “Our volunteers are already giving so much to our organization and struggling to make time to be engaged, if we make this harder on them and add more things for them to do, I worry that it will impact their willingness to be a member of our organization.” I found it a powerful statement in articulating the nature of the struggle that associations face to implement GDPR.
The Impact on Our Members
First and foremost, in our thoughts as association professionals is the impact GDPR will have on our members as we eagerly try to strike the balance between risk and protection; legitimate interest and consent; compliance and cost, and most of all customer experience and customer data protection. Without existing case law or legal opinion, we are left to interpret this behemoth in a way that is economically feasible and doesn’t overburden our organizational resources all while protecting the association from the stiff penalties and fines that could occur. We must also consider the impact that GDPR will have on membership revenue as well as other revenue sources by creating processes which facilitate compliance without being overly complicated for our members to follow. It’s a lot to think about.
Looking on the Bright Side
While all this can feel rather daunting, there is no debate that GDPR embodies many best practices around data privacy and security and that in this technological age full of cyber risk, we can empower our members to make good choices about their personal data. In that, there is a positive message that associations can take advantage of in marketing the changes to our members and leaders and to demonstrate the association’s value proposition. The other positive is that associations are not in this alone. From the mom and pop shop around the corner to corporate giants like Microsoft, Facebook, and Google, we have others who are helping to put this puzzle even without the picture on the box to tell us what it looks like. Software companies are making enhancements to make it easier for us to manage compliance and our suppliers are formalizing their roles and responsibilities through contract amendments addressing GDPR.
As associations continue to dig in deeper and take a closer look, the GDPR monster may no longer seems quite so scary as we begin to reveal that our fears may be greater than what we need to do to make GDPR a part our day-to-day operations.
Here are a few tips:
1.) Communicate: Prepare a communication plan for how you will share your organization’s changes with your members, sponsors, suppliers, and stakeholders. Focus on a positive message that champions your organization’s dedication to data security and focuses on how the changes benefit your audience. Have a FAQ sheet or list of talking points for leaders and staff to maintain the continuity of your message.
2.) Keep it Simple: Look for ways that you can continue the level of expected customer service by making GDPR compliance simple such as forms that your members already complete or in systems they already use. Enhance familiar processes to include GDPR such as event registration or membership renewals to get consent for collection, use, and storage of personal data. Solicit input from members about ways to make the compliance more user friendly.
3.) Get Help, if needed: You can always hire a consulting firm, but if that is cost prohibitive, there are many free resources and sources of information available. Organizations like the American Society for Account Executives (ASAE) and the Events Industry Council have resources on their websites along with member resources and discussion groups. A good number of organizations both non-profit and for profit are holding free webinars on GDPR compliance. Also, other organizations are a great source of information sharing and for figuring out the operationalization of the regulations for associations.
4.) Educate: Be prepared for a lot of questions about the changes. Being preemptive with a training for leaders, volunteers, and staff or develop a FAQ sheet that can be shared can go a long way into easing GDPR into the interactions of the association. Make data security a topic on onboarding new employees, volunteers, and leaders especially for those who have access to personal data as those new to the organization will need to understand their role and responsibilities around GDPR.
5.) Operationalize: GDPR is not a one-time to-do list, but an ongoing commitment to data protection. Develop annual review processes that champions continuous improvement and messaging to keep data security and compliance in the forefront of the minds of your leaders, volunteers, and staff. Add it to other annual review processes or yearly touchpoints to make it easier to manage and designate a specific person within the organization responsible to maintain compliance.