The First 100 Days – Operating under GDPR
About 100 days ago, the General Data Protection Regulation (GDPR) entered into force, placing new responsibilities on associations when it comes to the management of data. The topic dominated discussions in the first half of the year, causing much debate and considerable concerns. However, little has been heard about it since May 25th. How has life changed for associations under the new Regulation? What are the lessons learned? What challenges still need to be tackled? This article summarises our discussions with 21 European and international associations.
Self-taught GDPR Experts on the Rise
In September 2017, talking with association professionals about the new data protection regulation still solicited responses like ‘GDP-what’? Only 12 months later, most associations have become rather adept when it comes to data protection: Of the 21 associations we talked to, 95% believe that they have a good grasp of the subject. A steep learning curve, as only 40% felt that they understood GDPR in January 2018.
How did this change happen? 60% of the associations we talked to struggled through the often complex regulation by themselves – mostly in record time. “ Our organisation is a volunteer-run NGO. Our biggest challenge was to implement the GDRP with only a basic understanding of the rules, little to no technical experience, and without any funds ”, reports a European federation. For the same reasons, outside help wasn’t always an option: “ We had contacted lawyers to get adequate counselling, but the fees requested were too high for a small non-profit organisation like ours ” reports another international association.
It’s a Marathon, not a Sprint
Often, the first hurdle was to convince leadership of the importance of investing in data protection. It was often felt that GDPR was intended to reign in the excessive data collection of large companies, thus having no impact on non-profit membership organisations: “ They [the board] thought the GDPR is nonsense in the frame of our activities .” confirms one association contact.
By spring 2018, most associations had understood that GDPR was about to get serious and just could not be ignored. “ We were late to begin with the GDPR matter, it took much time for one person in a very small staff ” commented one association. “[We] did for the moment the minimum needed” confirms one association, while another one clarifies: “ Being a small members-organisation with modest administrative support the capacity to work on GDPR was in the second half of 2018 ”. In short, GDPR is an ongoing process, and one that is far from over for most associations.
The Consent Trap?
Another key challenge was question of consent: Was it really necessary to attain the permission of every single member, newsletter subscriber and prospect in order to continue using their contact data? 40% of the associations we talked to did indeed choose ‘consent’ as legal grounds for most of their data processing, thus setting themselves an almost impossible task: “ Obtaining consents is obviously a gigantic challenge when you work with a database of tens of thousands contacts ” declared one association; “ many [contacts] do not bother to reply” noted another.
The other 60% avoided this challenge by selecting ‘legitimate interest’ as legal grounds for most data processing. This is also the path we chose at Interel. While this approach requires some detailed audits, it does not threaten entire association databases with extinction. Indeed, once you start processing under ‘consent’, it is hard to contact anyone who has not actively given permission, making it harder and harder to effectively do what associations need to do: communicate. This is what we call the GDPR ‘consent trap’.
The good news first: despite some claims to the contrary, all associations have survived ‘Day X’ – the deadline for ensuring full GDPR compliance in May 2018. While many felt frustrated by the lack of clear cut advice, most have found a way to adapt and carry on.
As most association did not have the ‘luxury’ of professional support in GDPR implementation, they had to make do with self-training, short-term patches, delays and – in some cases – a very narrow interpretation of the Regulation. As a result, many associations are still working on implementation, while some got caught in the ‘consent trap’.
How did we fare at Interel? As an association management company, we had the opportunity to invest in the creation of a ‘GDPR Toolkit for Associations’, made available to all the associations we are working with. Nevertheless, it feels like GDPR has just begun. The research this article quotes, as well our GDPR White Paper and FAQ Sessions are all part of our ongoing efforts to develop and promote best practice. We invite all interested associations to join this conversation, download our White Paper ‘GDPR for Associations’ and share their thoughts at our executive sessions. Please contact Benita Lipps for more information, [email protected]
Article originally published by HQ Magazine.
Contributors: ANEC, BNE, CER, CITA, CSC, EDANA, EFHOH, EIRMA, ENSA, FEA and R.E.FO.R.MED as well as the 10 participating associations that chose to remain anonymous for their insights and contributions.