Time’s up! GDPR—the European Union’s General Data Protection Regulation—went into effect on May 25, 2018. Since the EU approved GDPR on April 14, 2016, association technology firms have had lots of time to prepare for GDPR. In this post, we describe what your technology providers should do to help your association comply with GDPR.
We also provide tips on some of the things staff should do to help their associations comply with GDPR—just in case you haven’t done them already. But, please keep this caveat in mind: we’re not providing legal advice here, we’re merely sharing some of our thoughts on GDPR compliance.
As the GDPR deadline approached, the full impact of this new regulation became more apparent. Complying with GDPR isn’t only about developing a new privacy statement and opt-in forms. It also means:
- Asking co-workers and technology partners a lot of questions.
- Rethinking how you collect and use data.
- Reviewing and revamping how you market.
- Developing new policies and practices.
GDPR forces all of us to treat the data we collect and use with more purpose and transparency.
Why us? We’re not an European or international association.
Since GDPR governs the personal data of EU citizens, many wonder why their association has to worry about it. Well, are you completely confident that you haven’t tracked or collected (or won’t collect in the future) the personal data of any EU citizens? Here are a few ways an EU citizen could end up in one of your systems:
- Working for a US member firm but a citizen of the EU.
- Dual citizen of an EU nation and the US who registers for an event.
- An EU citizen with a Gmail address who signs up for a newsletter or downloads a PDF.
Many privacy experts believe the US and other nations will adopt similar regulations given the ongoing complaints about Facebook and Google data practices. Just this week, a US senator said:
“Facebook’s secret data sharing partnerships raise urgent new reasons for stronger privacy protections—beginning with a privacy bill of rights modeled on Europe’s new rules (GDPR).”
By complying with GDPR, you’re ahead of the game.
Why us? Our people want us to use their data.
The people who use your LMS or subscribe to a newsletter have voluntarily entered a mutually beneficial relationship with you, that’s true, but relationships change. You must be prepared to comply with their requests concerning their personal data.
Data processor vs data controller
The GDPR comes with its own set of jargon.
- Members, customers, and system users are “data subjects.”
- LMS, AMS, CMS, and other technology partners are “data processors.”
- Your association is the “data controller.”
Data processors—your software partners—can help your association remain GDPR-compliant by providing the features and functionality you need to follow the rules. Technology should be GDPR-friendly and administrator-friendly—that’s what you should expect.
How technology vendors can help associations comply with GDPR
Let’s take a look at the different areas of GDPR compliance: what you should expect from your technology partners and what you need to work on yourself.
Consent to collect data
You can’t assume system users are okay with you using their data because they’re using your system—although common sense would lead you to believe that. You have to be up-front and transparent about what you’re going to do with their personal data.
Right from the start, tell users:
- What personal data you track or store
- Why you collect it
- How you use it
- Who has access to it
- How users can correct, delete, or request copies of their personal data
A pre-checked box doesn’t count as consent. Passive acceptance doesn’t count either. You can’t assume someone consents because they didn’t raise an objection when you emailed your policy to everyone.
You must be able to prove that users gave their consent to the ways you plan to use their data, for example, storing their personal data in your LMS, sending marketing messages about educational programs, and sending notifications about the online course they’re taking. Administrators should be able to track when users have agreed to a particular version of a policy with a time-stamped audit trail.
If your privacy terms change, you should be able to require users to re-accept them the next time they access the system. You also must have a way to identify anyone who needs to consent to an updated policy.
Collection of data
The GDPR stipulates that “only personal data which are necessary for each specific purpose” should be collected. Make a plan to regularly review the data in your care so you can decide to stop collecting data you no longer need. Document everything you decide: why you collect certain types of data, how you’re using it, and who has access to it.
Develop a process for reviewing old records. For example, you need to keep educational history but should you keep former students on your marketing list if they haven’t opened an email in three years? Develop prospect-friendly marketing practices that are in compliance with GDPR.
Use of data
If a system user has a question or request concerning their personal data, you must be able to respond quickly. Users have the right to see what data you have. You need a process in place to comply with their request and your system must be able to handle that process.
Users also must be allowed to update, correct, or complete their profile information in your LMS, AMS, and other systems, or contact the administrator to have it updated.
Data subjects have the “right to object” or opt out of certain uses of their data, for example, marketing emails. Give people control over what they receive from you—they’re more likely to opt in to certain communications when they have a choice. Maybe they want emails about their membership renewal but not marketing emails—that’s up to them, not you. Emails are considered essential, in the GDPR context, if you have a legitimate reason for sending them. You may need to inform your users that they cannot opt out of email notifications from your LMS because those emails are a core element in their education program.
You must have the ability to set up workflows and processes so you can respond to these requests—make sure your system has that functionality.
Protection of data
Security should always be a focus for your technology partners. If your software provider causes a breach, your association is still liable. Make sure your system partners have processes in place for regularly testing and assessing the effectiveness of their cybersecurity measures. Don’t be shy. Ask them for details so you can feel confident about the security of the data in your care.
If a breach of security occurs, you must meet the 72 hour deadline established by GDPR. How will you know when a breach occurs? Ask your vendor for those details.
On your side, regularly review who has access to the data you collect. Work with your IT team to ensure that staff are following the appropriate security measures. Require security awareness training for any staff with access to data.
Destruction of data
EU citizens have the “right to forget” or delete their data. You must be able to permanently delete a user, if they request it, as well as all records of them from any underlying audit trails and records. If you need that data for system critical records, you must have the ability to pseudonymize it. Develop a process for requests of this type and ask your vendor how you can use their system to comply.
Portability of data
Users have the right to move their data from your system to another service provider. They may want to transfer records of the online courses they’ve taken, certifications received, and the records of external courses or learning objects they entered into your LMS. If a request for data records is made, your association must meet the one-month deadline set in GDPR.
You must be able to export a person’s data in a user-friendly format: “a structured, commonly used and machine-readable format.” You should document how your system will make data transfer requests possible.
Rethink data governance
Hopefully, all your technology vendors were GDPR-compliant before the deadline, after all, their business depends upon it. However, even though GDPR has been a hot topic in the association community, the conversation may not have reached everyone on staff at your association.
Do not assume your colleagues understand this new regulation or how your association has to think and act differently with the data in your care. Require GDPR training for anyone who has access to member, customer, prospect, and user data. It’s best for staff to follow GDPR-friendly marketing practices. For example, if they are given a business card by a prospect, it’s not “helpful” to add that person’s email address to marketing lists without documented consent.
If you don’t already have a cross-departmental data governance group, there’s no better time to establish one. Give this group the authority and responsibility to develop and evaluate data policies and practices.
The positive side of GDPR compliance
Although GDPR may bring temporary headaches, it also provides the opportunity to improve practices for the long-term. Association technology consultant David DeLorenzo advised in a DelCor Technology Solutions post:
“Develop a policy of ‘privacy by design.’ Privacy must become an integral part of your business. Establish data protection safeguards in products and services from the very start, not as an afterthought, and strengthen contract language around data privacy.”
The “privacy by design” approach allows your members, customers, and LMS users more control over the data they provide. GDPR gives your association the opportunity to demonstrate the care and respect you have for their personal data. You may not have to apply GDPR measures to non-European members and customers, but as responsible stewards of their data, the GDPR-friendly approach will earn their trust and strengthen your relationship with them.