Is GDPR a four-letter acronym at your association? Short for General Data Protection Regulation, GDPR is legislation passed by the European Union (EU) Parliament to protect the personal data of EU residents. Scheduled to go into effect next month, GDPR grants individuals greater control over their personal information, giving them a say about how their data is handled, including what information is used, whether it’s transferred to third parties, and when it is erased.
And, it sets forth regulations for any business that controls or processes EU resident data, regardless of the organization’s location. So, if your association has employees, members, prospects or customers residing in the EU (regardless of their citizenship), this could be you. Are you prepared to comply?
REGULATION BASICS
There are a number of areas of compliance detailed within the GDPR – for the full legislation and additional regulation details, visit the GDPR portal. Here, we share a snapshot of several key principles from the regulation:
Transparency – Simply stated, Controllers and Processors (as defined in the regulation) are required to fully disclose how and why data is processed, and they must disclose that information to data subjects in clear and simple terms.
Consent – Consent must be “freely given, specific, informed, and unambiguous,” and is one of several reasons Processors and Controllers may use to justify the processing of data.
Right to be forgotten – Data subjects have the right to request that their data be erased, and with a few exceptions, the Controller and Processor must comply when requested to do so.
Security and privacy program management – One of the more interesting principles of the GDPR regulation is the need for Processors to implement a Privacy Program, which potentially includes the appointment of a Data Protection Officer (DPO).
Data breach protocol – When personal data is accessed without authorization, it is the responsibility of the Processor to notify the Controller, who must then notify the DPA within 72 hours of identifying the breach.
Limitation of purpose and collection—The GDPR states only data with a true business purpose and transparently disclosed to data subjects should be collected and processed.
Data Protection by Design – The Data Protection by Design principle requires organizations to have security and protection protocols in place, and to have security and data protection as a foundation for all future development.
We go into greater detail regarding these key principles and discuss the impact on your organization. In addition, we cover how Abila and other Community Brands association products will be compliant in our “General Data Protection Regulation eBook.” Download the free ebook here.
