On May 25th, Europe’s General Data Protection Regulation (GDPR) will be effective. I’ve read some articles about organizations panicking, or even going so far as thinking about shutting down their website entirely. Don’t. This quick article will give you some context surrounding the regulations and provide you with a comprehensive overview of what you need to do in order to get compliant with the new regulations.
The Sword of Damocles: For the civil society organizations that fear the GDPR for its length articles and harsh penalties — you have nothing to fear, reality tells a different story.
Disclaimer: No legal counsel. Please keep in mind that the worlds best blog post can never replace the personal legal advice of a lawyer specialized in data protection law.
- Don’t panic
- What to do now
For those eager to begin getting their organization ready for the GDPR, skip ahead to the "What to do now" section.
Don’t Panic
Although the ‘General’ Data Protection Regulation has a broad scope and applies to all organizations operating within the EU, including associations, clubs, charities and small businesses, it was designed to target firms using personal data for profit, says Vera Jourova, the European Commissioner for Justice.
The English and German media has warned over the last weeks of unpredictable consequences and of unprepared organizations. Many now fear penalties to come after the law takes effect on May 25th — most of this fear stemming from Article 83, Paragraph 5 which states:
Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
These penalties may appear draconian, though most need not fear harsh consequences even if you’re reading this weeks after the 25th as pointed out by Ms. Jourova to AFP.
What to do now
First things first: Shutting down your website and destroying members personal information would be a stark overreaction. When considering how to comply with GDPR you may find yourself wondering: ‘Can I still use the Excel-File of member data on my PC?’, ‘Do I really have to contact members to get permission to use their data?’ or ‘Will I have to change my website?’. To make it short: No— Probably— and Definitely…
So what does your organization need to do? Let’s dive in.
- Data Controlling
- Data Ownership
- Data Management
- Your Website
1. Data Controlling: Which data do we need to gather and what is it used for?
Any Membership Organization needs personal information (meaning data that is “any information concerning an identified or identifiable natural person”) to administrate members and follow its purpose. And this is of course totally legal. Anyway, the GDPR requires any data collection to be bound to a purpose. The names and email-addresses of your members are collected to contact them. Their bank accounts need to be known in order to direct debit member fees. The same goes for the distribution of these data: If one of the purposes of your entity is to connect its members with each other, the distribution of the reachability of members is crucial and legal. You store data about your members’ body height? If you are a Salsa Dancing Association and aim to match dancing pairs by height — fine. You collected them without purpose or out of interest for average height in your association — probably not ok. You collected them for buying sports team outfits last year — alright. You probably get it by now , each process of data collection, storage and distribution has to be purpose bound. List the processes in which you collect data from members, where you store it, and to whom it is accessible. BE specific. Cross those out that make no sense in the purpose of your organization or company and forget about them.
[tweet: Each process of data collection, storage and distribution has to be purpose bound.]
Your procedures have to be written down and stated on your website, in your statutes or in an extra document available to members.
2. Data Ownership: How can I get members’ permissions to use the data?
If you are clear about what personal data you need to control, consent should be your next project. All members, whom information you control, have to consent your practice of how you collect, store and distribute those information clearly.* The design of this consent can be set differently in each nation of the EU, in Germany, we have one of the strictest regulations: A member has to actively confirm in written form that he is in consent with you handling her/his data. Additionally this consent must be revocable at any time.
For those looking to collect member consent: you can either send an email to all your members asking for permission to use their information and record in your members excel file which members have confirmed this and on which date.
For those who want to save time and make this process easier, I co-founded Unaty , a free community platform that helps to make your organization GDPR-ready easily and quickly. Learn more on how to get your organization ready in our step-by-step guide for GDPR readiness.
3. Data Management: How can we collect, store and distribute information in a secure, modern manner?
Article 32 of the GDPR requires personal data controllers and processors to “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk”. Since the risk of a data breach is rather low at small organizations, no heavy security measures are necessary. Still, all orgs should consider some basic security in their own interest and in that of their members trusting them with personal information. Those measures should include:
- Access permission management
- Central, encrypted and safe cloud storage of data
- Ability to recover data in case of loss
- Implementation of GDPR required rights of members on data erasure and data correction
Membership organizations would be well advised to store their member data centrally and securely. This can be done by creating one excel file and storing it in a secure cloud service, such as Dropbox or OneDrive, and managing access rights of members. A major complaint to this approach is the inherent static nature of the data being stored — it cannot be effectively used, be it to contact members with the most current contact information or target specific groups of members with segmentation tools. This has led to the rise in popularity of community platforms — which combines secure member management with social and organizational tools. These platforms make it possible to not just manage but also use your data to drive member participation and grow your community.
4. Your Website: What changes must we undertake to make our website GDPR compliant?
Your website collects its visitors’ personal data. Even if you probably don’t even know about it. The most of the commonly used out-of-the-box websites have implemented some so-called Cookies, collecting data. For these cookies (and especially if you use third-party-cookies like Google Analytics) you again have to achieve consent with the visitor of the website. If you are familiar with a bit of HTML programming, you can implement a ready-built cookie consent message into your site like this. On top, you will need to publish a brief Data Privacy Policy. A good template is the one of the England Athletics Associations, you need to customize it, of course.
Another solution is offered by Unaty, we can implement the whole cookie consent application and a Privacy Policy to your site, check out our service here.
Some points that require additional measures:
- Do you transfer personal data of members to third parties, e.g. an employee or tax consultant?
- Are there many people involved in professionally processing member data? You may need a Data Protection Officer, if there are more than 10 members on this.
- Do you offer any kind of e-commerce (like a merchandise online store) on your website?
I am no lawyer, but I am happy to share all the knowledge I gained while reaching the GDPR compliance within my own company. If one of the points above apply to your organization or company, or you have any other problems with implementation, feel free to contact me at ahrens@unaty.de or my colleagues at Unaty hello@unaty.de.