Community Brands’ content repurposed with permission

With additional content provided by Rob Gates, Bostrom Business Analyst

Most organizations have, by now, heard of the European Union’s regulation regarding data privacy, the General Data Protection Regulation, or “GDPR”.  GDPR is unique in that it has created regulations for any business that handles personal data of anyone residing in the EU, regardless of where that organization is located. If your organization has customers, prospects, employees, or members who are EU residents, you are required to meet GDPR compliance standards. GDPR gives individuals greater control over their private, personal information, and also gives them a voice in how their data is managed. The new regulations will go into effect on May 25, 2018.

While the scope of the EU’s regulation only affects activities surrounding the handling of data related to individuals within the EU (regardless of who and where the data is handled), most privacy experts believe this type of privacy regulation will be seen elsewhere quickly.  It’s essentially the direction of the intersection of personal privacy and data handling in the future. While the GDPR regulation could consume many pages of detail, it can be summed up concisely in a small set of guiding principles.

  • Data should only be processed for legitimate and defined purposes
  • Only the data relevant to those legitimate and defined purposes should be processed
  • This data should only be kept as long as it is necessary for the legitimate and defined purpose
  • Individuals should be informed up front about what, why, and how their data will be processed
  • Individuals should provide consent for the processing of their data
  • Individuals should control who sees their data – it should never be seen or shared with an individual or entity unless the person has authorized that seeing/sharing explicitly
  • Individuals should have the right to manage their personal data – to see and correct it
  • Individuals have the right to be forgotten – to have their data removed from processes and storage

GDPR mainly impacts two separate groups of individuals – Controllers and Processors. Controllers are persons or entities which determine, “the purposes and means of the processing of personal data” (https://www.eugdpr.org). Processors are “any entity which processes personal data on behalf of the Controller or by instruction of the Controller”. Processing can include collection, storage, transfer, and manipulation of data, but certainly isn’t limited to those activities – it has a broad scope.

Of particular concern with GDPR is a type of information called “PII” – Personally Identifiable Information.  This includes an individual’s name, address, phone or email, unique identifying numbers like license numbers or social security numbers, financial account numbers; even an individual’s image is covered.  For financial information, these new regulatory requirements are in addition to already existing regulations and policies concerning financial account information, including standards from the payment card (credit card) industry or “PCI”. The consequences of failing to comply with the GDPR can be costly. The GDPR supervisory authority is allowed to fine businesses “20 million Euros or up to 4 percent of total worldwide annual turnover in the preceding financial year”, whichever is greater, for compliance infractions. (https://www.eugdpr.org)

What this means is that associations and non-profit organizations, even those not affected currently by GDPR, should be on the lookout for areas where they may need to consider changes to their processes.  For example, many organizations might have a central administrator conducting transactions on behalf of many individuals. This may preclude the ability to obtain direct and explicit individual consent for various uses of data.  Further, organizations who work with paper forms may need to be looking at policies for protecting those paper forms, asking themselves questions like, “Who can see these forms?”, “How are they handled and protected during processing?” and “How do I manage requests to be forgotten?”.  Technology options can help resolve some of these concerns, but a combination of process changes AND technology changes are likely going to be needed by most organizations to establish a true privacy-conscious culture.

GDPR Official Website: https://www.eugdpr.org