In the EU or Not, Your Association Needs to Be Ready for GDPR
Data protection is an important topic at the forefront of many in the IT industry. In the European Union (EU) the clock is ticking toward a major shakeup in the way data is collected and protected. Organizations in the EU, and globally, are scrambling to understand the requirements and ramifications of the upcoming implementation of the General Data Protection Regulation (GDPR).
What is GDPR?
GDPR is a regulation set forth by the European Parliament which establishes a new standard for consumer rights regarding their data. The goal of GDPR is to streamline the current convoluted data regulations across the EU allowing EU citizens and residents the ability to regain control over their personal data. The new regulations address the way people access the information organizations contain about them, the obligations of businesses to have better data management, and to enforce significant new fines for organizations that don’t comply with the new regulations. It will change how businesses and public-sector organizations (i.e. associations) can handle the information they have and will collect on their customers (members).
We’re Not Based in the EU; Why Does this Affect Me?
If an organization, even if it based outside the EU, collects data concerning an EU resident, it is subject to the jurisdiction of the EU lead Supervisory Authority. A Supervisory Authority has the power to:
- Conduct audits
- Examine certifications
- Issue warnings if the appearance of a GDPR violation has occurred
- Order a processor or controller to comply with GDPR
- Suspend data flows it considers noncompliant
- Enforce limitations, even bans, on data processing
- Impose administrative fines for noncompliance
Simply put, if your organization is based in North America, or anywhere outside of the EU, and you have any EU members, vendors, speakers, etc. that you are collecting data on or marketing to, your organization is subject to complying with GDPR. Noncompliance of GDPR opens your organization up to significant fines (as much as 4% of a business’ global revenue, or $24,000,000 – whichever is higher) leveraged by the EU Supervisory Authority.
GDPR’s Key Technical Requirements
Regardless of whether the EU considers an organization to be a Controller (an organization that determines the purposes and means of the processing of personal data – i.e. an association) or a Processor (an organization that processes personal data on behalf of the controller – i.e. an AMS provider like Altai), its prime objective should be to meet the overall points summarized in the Primary Technical Requirements below:
- MUST be clear and distinguishable from all other matters
- MUST be provided to an individual in an understandable and easily accessible form, using clear and plain language
- MUST be gained from any EU citizen/resident as part of the data collection process
- MUST be recorded having the time and manner in which the consent was gained for auditing purposes
- MUST be unbundled as it must be clear as to why, what and for how long the data is being collected
- MUST be as easy to withdraw as it is to give
Right to Access Data
- Organizations must provide EU citizens/residents the ability to obtain from the data controller confirmation regarding whether or not their personal data is being processed, where and for what purpose
- Controllers MUST provide a copy of the personal data, free of charge, in an electronic format to any EU citizen/resident who requests his/her own data
- EU citizens must have the ability to access, request or/and make changes to their data at any given time
- Access to all collected data must include purpose, recipients and storage period
- Collected data must be reviewable and editable by any data subject or/and upon request for change
- Any EU citizen/resident must be notified of any change to his/her rights as well as any changes to his/her data
Right to be Forgotten/Erasure
- Entitles any EU citizen/resident the right to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data
- Any EU citizen/resident can at any given time request the erasure of their personal data
- Erasure must be across all back-ups and stores
- 3rd party processors of the same data must be notified of any erasure action
- The right for an EU citizen/resident to receive the personal data concerning them, which they have previously provided in a “commonly used and machine readable format” and have the right to transmit that data to another controller
- Must be able to download their data in a computer readable format or any other kind of readable material
- Data can be transferred either directly or indirectly
- EU citizens and residents and their data must be able to have security and privacy protection
- By default Privacy settings must be set at a HIGH level
- Standardize the entire data processing lifecycle
Ideas for Optimized Standards of Practice
To help your organization prepare for GDPR compliance, a secure and seamless Customer Identity Access Management (CIAM) system should be instituted including these key features:
- A detailed process to approve transactions
- Unified profiles management and synchronization process across all platforms
- Secure Single Sign On (SSO) and Identity Management Systems (IdM) across all digital entities
- Privacy management preferences and policies related to EU citizens/residents’ self-management of their profiles, and enforcement of customer data usage
- Administration of data access/suppression that in compliance with multiple governmental systems (EU, USA, Canada, etc.)
Time is of the essence in understanding and complying with GDPR as enforcement of the regulation is set to begin May 25, 2018. Altai is actively working on our internal processes to ensure compliance with GDPR by its enforcement date. If you have questions on this topic, please contact Altai Partner, Mike Frye at firstname.lastname@example.org.