TAMING THE GDPR MONSTER
Krista Ferrell, Deputy Director, Strategic Programs
With only four months until the effective date, companies and organizations across the globe are scrambling to make sense of the European Union’s General Data Protection Regulation (GDPR) and assure compliance come May 25, 2018. The association industry is no different. With the vast amount of information regularly collected about members, associations are looking deep within themselves to assure that members and their data are well protected. Here at AMR, GDPR is in the forefront of our minds as well as the protection not only of data, but of our clients and how they successfully engage with their members to provide the best services, resources, and conferences while complying with the new regulations.
What is the GDPR? The General Data Protection Regulation was passed in April of 2016 and empowers residents and citizens of the European Union the right to control how their data is collected, used, and stored. The GDPR’s expanded definition of personal data is vast and gives data subject authority to not only control their data, but also to understand, update, and delete their data at any time. The GDPR also further defines the roles of both the data’s controller and processor and their responsibilities for providing data subjects with clear, specific, and purposed descriptions of how the data will be used, who will have access, and how it will be stored. With penalties for non-compliance as high as 20 million euros, the rush to compliance is understandable.
With the broad brushstrokes of the regulation, defining what members or parts of an association may be affected is difficult as both residents of the EU, as well as citizens across the globe, can be subject to the GDPR. In some cases, even those traveling in the EU or passing through can be subject. Merchant sales via association websites can also be impacted as any product sold in the global marketplace have the potential to be purchased by EU residents and citizens. With these broad ranges of impact, many associations are opting to treat all data by EU standards to avoid data sorting and specialized treatment for segmented data pools.
Like many other companies, AMR is in the process of understanding the GDPR and its impact on our client’s data by mapping data across the company, each client individually, and suppliers who may now be classified as ‘processors’. This data map will allow the full visibility of data and allow for trend and gap analysis. The next step will be a comprehensive plan to not only bring data to compliance, but also keep data in compliance moving forward.
AMR will be doing a series of blogs on this most important subject, so stay tuned for more information and best practices related to GDPR. And, as an added resource, we’ve developed a GDPR FAQ that has some helpful information.