26 June 2019

GDPR & Membership Organisations: One Year On

By Naomi Korn

GDPR (General Data Protection Regulation) was transposed into UK law in May 2018 as the Data Protection Act 2018. By increasing the responsibilities of those who process personal data, as well as increasing the rights of people whose personal data is being processed, the sector, the country, the EU and arguably the world has been shaken. It was necessary to uplift existing data protection laws because those we had were no longer working – they were not fit for the digital age in which everyone is potentially connected to everyone else, anything, anywhere, anytime. Technology that enables this level of instantaneous connectivity needed better regulation to protect the content, goods, and personal data that flows through the sophisticated digital infrastructure. GDPR is the antidote to bad businesses practices, including the wide-scale bad practices associated with the commoditisation of personal data.

Membership organisations are amongst those that have needed to review their policies, processes and responses to the personal data that they have been collecting and intend to collect. Beyond the specific requirements of the data protection legislation, this is no bad thing. Not every piece of data is good, current or useful, and too much data clogs the system. The more data you have the more exposed you are to data breaches and the greater the obligations you have to those whose data you are holding. So, one year on, when a number of organisations have already been fined by the Information Commissioner’s Office, what are the lessons learnt for membership organisations:

1. Internal procedures & policies dealing with the processing of personal data, Subject Access Requests (SARs) and Data Breaches are fundamental to demonstrating compliance

2. Building privacy awareness from the start through Data Protection Impact Assessments (DPIAs) and robust contract management procedures will help ensure that the systems and activities associated with marketing are legally compliant and fit for purpose.

3. The technology must serve the purpose, not drive the requirements. This must include the procurement of new client relationship management systems, DAMS etc.

4. Membership organisations need to recognise personal data “touch points”, and ensure that these are reflected in privacy statements which are current, accessible and easy to understand. They should clearly describe the lawful grounds for processing, accountability and contact details if there are any queries and/or data subject requests.

5. Data Hygiene & Cyber Security are fundamental to membership organisations. Acceptable use policies must be updated and explained to all staff and volunteers as well as being reflected in contracts.

6. Implementation is only one aspect. User awareness and training is an on-going process and must be regularly revisited. Volunteers and contractors must be included in this and specific awareness raising activities developed according to their roles and needs.

One year on, GDPR is a great opportunity to get our houses in order and demonstrate that we look after the personal data that we are entrusted with. This means that membership organisations have the opportunity to play to their strengths and demonstrate good business processes and transparency. Building customer trust in this way can increase the likelihood of retaining existing members, whilst creating a robust framework for new members to join who are happy to entrust membership organisations with their personal data.

Naomi Korn Associates recently created a Data Protection, one year on training session. If you would like your staff to be kept up to date about changes to the laws through a practical and interactive session, please contact patrick@naomikorn.com.