With the increasingly widespread adoption of digital marketing technologies and social media platforms across the world, collecting detailed amounts of data to help build realistic, personal profiles on a given individual has become relatively easy. Almost equally (and frighteningly) as straightforward is the ability for this data to fall into the wrong hands, often with grave consequences – stolen identities, theft, hacked corporate networks, leakage of sensitive information, etc. Data privacy has become a major topic of concern in the past few years and global regulation bodies have been working to figure out the best course of action to make our online worlds more secure.
What is the GDPR?
As a direct result of this, by now, most of us have heard or participated in the ongoing debates around new data privacy laws that will shortly be introduced in the EU. On May 25, 2018 this new data regulation known as the General Data Protection Regulation (GDPR) will go into effect. It has been put forth by the European Parliament, the Council of the European Union, and the European Commission to strengthen and standardize data protection for all individuals within the Europe Union (EU). It is important to note that it applies to any digital property (even those created by organizations headquartered outside the EU) and to anyone visiting said property from within the EU, whether they are an EU citizen or not.
There are several facets to this new regulation and they become pertinent to an organization depending on the type of information it collects on its audiences, members, and customers, and the technologies and methods it uses to collect, store, transfer, and secure this information. Therefore, to further understand the GDPR, it helps to look at the regulation in the context of organization type, industry, and technology stack. For example, an Association that uses an AMS like Personify to keep track of its members and their behaviors, preferences, and interactions with the organization, will need to adhere to specific clauses of the law.
Impact of the GDPR to Organizations that Store Member Data
With the GDPR, audiences and members in the EU that are accessing digital properties from organizations that use Personify, or similar membership management solutions, have various rights regarding the collection and storage of their personal data on the platform.
For an organization to store personally identifiable user data (such as name, address, or any other data that singlehandedly or in combination with other collected data makes a user identifiable), consent must be sought, obtained, and recorded according to the new GDPR guidelines.
The organization must:
1. Use clear and plain language (read: no confusing jargon or legalese) to obtain consent.
2. Request and obtain an individual’s affirmative and granular consent. An example of this might be via a pop-up on the site or an additional checkbox field in the registration process that specifically asks for consent and prevents further usage without it. The box can’t be checked by default or consent assumed to be given simply because the individual is accessing the site.
3. Stop processing any identifiable data if an individual denies consent.
4. Provide a mechanism for individuals to withdraw consent that is as easy as it was for them to give consent.
Provided an individual has granted consent to an organization to store identifiable user data, for the sake of personalization or other processing activities, the organization must abide by the following data security guidelines.
1. Pseudonymize or encrypt any identifiable personal data.
2. Have a process in place for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the data.
Individuals have a right to request and receive all personal data that an organization stores about them. This data should be in a structured, commonly used, and machine-readable format (e.g. .csv, .xls, .xml, etc.) and should be provided in a timely manner upon request.
In addition to being able to request the data about them that is being stored by an organization, individuals have a right to request deletion of all their data that has been collected to date. If an individual requests erasure of his/her data, the organization must delete all identifiable data for that individual, across all technologies and databases in play, and should provide confirmation that this erasure has occurred.
In all scenarios, technology providers can play a supporting role in ensuring that their platforms provide the needed frameworks and features for adhering to the regulation.
Determining Non-Compliance Following a Security Breach
As can be seen, these new regulations will have significant impacts on every organization that operates digital properties accessible within the EU, and collects data on the visitors that use these solutions.
If a security breach occurs and an organization isn’t compliant, it will be charged with large fines (in the millions of dollars), the amount of which will depend on the following:
• How many people were affected and how much damage was suffered by them
• Whether the infringement was intentional or negligent
• Whether any steps were taken to mitigate the damage
• The types of personal data involved
• How regulators found out about the infringement
Updating Solutions and Processes to be Compliant with the GDPR
To meet the noted requirements and ensure compliance, there is some amount of work that will need to be done to understand what member data is stored within the membership management platform, how that data got there, how the data is secured, etc.
As a digital agency with over 18 years of experiences in the space and with clients across numerous verticals, technology stacks, and business processes, we have invested a considerable portion of the past few months in researching the new regulation and understanding its impacts to our clients and their digital programs. We have built an expertise in preparing them for getting compliant with the GDPR and our efforts start with audits of their digital solution to understand the following:
1. Is there a consent model in use today to cover the application of cookies and other forms that can be leveraged for GDPR consent guidelines?
2. In Personify and other integrated systems,
a. What personal data is being stored?
b. Where did it come from?
c. How was it collected (with consent, opt-in, etc.)?
d. With whom/how is it shared?
e. How secure is this data?
3. Are there tools in existence today that can support data portability and data erasure?
This is a starting point for a comprehensive process. Based on the results of this audit, we’re able to identify gaps between the existing solution and the GDPR requirements. We then provide recommendations on the steps that need to be taken to make the solution fully compliant and create a security breach response plan should a data breach occur.
Data Protection is Always a Good Idea
Regardless of its scope of application, the GDPR provides organizations with valuable guidelines that they can use to ensure the safety of all their member and customer data (even that of individuals outside the EU), and deliver on their brand promise of being an entity that people can trust and value. As the importance of data privacy and security increases, legal regulations that apply to these topical areas will only become more prevalent. It is imperative that organizations get ahead of the law and take the necessary steps to ensure that their digital solutions and workflows are in compliance.
Sunil Nagpal is a Manager in the Business Systems Analysts team at Velir. In addition to mentoring and identifying best practices for the group, at large, Sunil’s role on client projects is to help bridge the gap between the business and the technology.
Velir is a fully-integrated digital agency that is passionate about improving how associations communicate and connect with their members. For over 18 years, they have partnered with associations and membership organizations to define digital strategies, redesign websites, integrate AMS platforms, and execute digital marketing initiatives, all with the end goal of providing more value to both the organization and its members.