In 1995, the European Union enacted the Data Protection Directive, establishing a personal right to privacy. In 2016, the EU adopted the General Data Protection Regulation (GDPR), which updates and strengthens the previous data privacy law. GDPR took effect in May 2018, and some organizations are already facing warnings and fees.
Does GDPR have any impact on an organization outside the EU? If you use iMIS (or even a competing product), the answer is almost definitely yes. Since the beginning, iMIS has been about collecting, organizing and using information about members and other contacts. GDPR creates new rules around how EU personal data is collected, used and protected.
Be aware: general advice about GDPR is no substitute for advice from an attorney who can consider your entire situation. Unlike the cut-and-dried standards of PCI-DSS, GDPR compliance is dependent upon the specifics of your organization, your members and customers, and how you use their information. The only legal advice in this article is, “make sure you get legal advice.”
GDPR establishes rights for EU residents. However, this not only includes citizens of an EU member country, but also anybody present in the EU when data is collected. A U.S. or Australian citizen buying a book while sitting at Heathrow airport is entitled to all the protections of GDPR.
Even without EU exposure, several U.S. states are passing similar data privacy laws. You may find it easier and more cost-effective to implement privacy rules like GDPR for all the contacts in your database, rather than trying to use different rules for different contacts. By keeping iMIS up to date, you can benefit from improved privacy controls with less effort on your part.
Under GDPR, people have the right to know how their data will be used, to receive all the data maintained about themselves, to correct the data about themselves, to request their information be erased, and to be notified if their information is exposed in a data breach.
These rights create new responsibilities for organizations who collect and process personal information. Data controllers (your organization) must establish and document the lawful basis for possessing and processing each piece of personal data. GDPR identifies six lawful bases for processing:
- Contractual requirement
- Legal obligation
- Vital interests of the subject
- Public interest/official authority
- Legitimate business interest
As long as you have at least one lawful basis, you can keep and process their data. If you have none, you probably shouldn’t keep it.
Before GDPR, many organizations operated on implied consent. For example, “If they joined, they must be willing to share their name with other members.” Under GDPR, implied consent is not enough—not even for data collected before May 2018.
Consent should pass three tests:
- Explicit: The subject must affirmatively give permission by checking a box, initialing a form, signing their name or similar. Implementing a “By continuing to use our website…” disclaimer may not be enough.
- Informed: The subject must be told how their information will be used in plain language.
- Documented: You must maintain records of what consent was given and when.
Without proof of consent satisfying GDPR’s requirements, you may need to obtain consent again. Likewise, if you want to start using member data in a new way, you probably need to ask for expanded consent. If this seems like a huge burden, you can appreciate why consent is the weakest, least preferred basis from the list.
The most important thing to realize about GDPR is that it isn’t a technology issue, it’s an organizational issue. Organizations must first change their behaviors to protect the privacy of their constituents, and then technology can support these changes.
As you review your organization’s handling of personal data, iMIS will certainly be a major focus, but don’t forget about all the places member data is copied. GDPR also applies to your ERP software, third-party integrations, exports saved to disk and even printed or handwritten paper documents.
iMIS has features which can help achieve compliance in several ways, including:
- Enabling the cookie warning feature to obtain consent.
- Using RiSE to add declarations to any page that collects personal information.
- Configuring the contact erasure feature, and training staff on when and how to use it.
- Creating a place to keep track of when consent was given or revoked. For instance, you might define a new activity type called, “CONSENT,” or add user-defined fields to track consent-related events.
You should also take a close look at all the data collected by your organization to ensure you have a legal basis. You might decide it is better to stop collecting some kinds of information than try to maintain sufficient records of consent. Think also about data collected over the phone: are callers given enough information to make an informed decision about providing their data to you?
Above all, get the advice you need from a resource with experience in privacy regulations. GDPR has raised the bar of consumers’ expectations of privacy. Fail to meet those expectations, and your members and constituents may be less comfortable continuing their relationship with you.