How are membership organisations supposed to become experts in General Data Protection Regulation (GDPR), when the experts haven’t decided what compliance looks like yet? It’s time for us to work together to find the answers
- With new rules around active consent and refreshing any consent on a regular basis, collecting and segmenting member data is about to get harder
- Guidelines for GDPR have not yet been written in full, but those organisations who are not compliant could face fines of up to 20 million euros (or 4% of global turnover)
- Organisations are currently looking for ways to continue communicating with lapsed members where there is no longer consent to do so
GDPR – or General Data Protection Regulation – is not just coming. It’s already here (we’re just in a two-year grace period at the moment).
As I was sat in a recent briefing session about the legislation (what it is and how it will affect membership organisations), I was struck not by just how much I was learning. But, how much is still unknown about what we can all do to ensure we remain within the law.
I don’t have all the answers. The blogs I have since read don’t have all the answers. And, it seems, the ICO, who will be enforcing the legislation and applying huge fines (20 million euros or 4% of global turnover – whichever is greater) haven’t actually written all the answers. That said, its Information Commissioner has described GDPR as ‘the biggest change in data protection for a generation’.
What is clear, however, is that the changes will have an impact on the way organisations obtain data and the frequency with which that data needs to be refreshed.
Here’s a quick overview of six things I have gleaned so far about General Data Protection Regulation (in addition to the whopping potential bill for non-compliance mentioned above):
- Active consent is key. It’s no longer enough to have pre-ticked consent boxes or to insist that members opt out or are otherwise automatically opted in. Members will now need to actively sign up for everything and there should be no ambiguity or assumed consent.
- You need to clearly demonstrate how you are going use a person’s data. Do you, for example, send the data to a third party mailing house so that your member magazine can be distributed? If you do, that member needs to understand the process at the point of which they give consent. You will need to be able to demonstrate that consent, even with long-standing members.
- Consent will need to be refreshed within a reasonable period. What isn’t clear is about the frequency and how that is affected by the level of detail gathered, but the consultants we heard from mentioned that the more you drill down with member preferences (eg asking about specific topic areas of interest rather than just asking whether it is ok to contact them by email, phone or post) the more frequently you may need to refresh that data. It will be interesting to see how this unfolds and what that means for those segmenting data to ensure their content is more relevant.
- Lapsed member communications could be challenging. Currently a subject of hot debate, but it appears that once an organisation is no longer ‘in contract’ with a member, marketing communications should be stopped. I know organisations are already talking about the possibility of changing the levels of membership to enable them to keep in touch with those who wish to move away from full paid-for membership.
- You may need to conduct a Privacy Impact Assessment (PIA) to send a new marketing campaign to prospects or segment your data: If sensitive information is being used in a new way, an impact assessment will help organisations identify a projects’ potential effects on individual privacy and compliance with legislation.
- Data breach will need to be reported within 72 hours and we should expect more fining and more exemplary fines. With fines no longer capped at £500k, organisations simply cannot afford to get it wrong. Directors now have a duty of care to train staff.
And that’s not all. With less time to handle requests for information (known as subject access requests), new rules over the right for an individual to be forgotten and a requirement for CRM systems to demonstrate that privacy has been designed in, everything about the new regulation is tighter and more demanding.
Of course, there is also a hint that organisations under 250 employees may be subject to slightly less stringent rules, but the detail of this is not yet known.
We may not have all the answers, but not knowing is no real protection.
The advice so far? Show willing and demonstrate that you are taking the changes seriously and are going to take steps to be more transparent and accountable. Review the information you hold and look at the systems and processes you have in place to both collect and store data. Take advice on the wording of your company privacy statement. And, most importantly, visit the ICO website (the Direct Marketing Association is also helpful) for updates to make sure your efforts keep you within the law.
We’ve all been targeted with ill-timed sales calls and catalogues we certainly didn’t request, so I understand the motivation behind revising the rules. But, I do fear that the move towards compliance will mean that the organisations we actually want to hear from will be forced to find out and store less about us. The result? Those organisations will struggle to build meaningful relationships in a world where personalisation and targeted content is not just important – it’s essential.
Let’s hope time – and more guidance – will prove me wrong.
Share this story
Anything to add?
I confess, I am an interested party, not an expert one. If you are worried about the impact of GDPR on your organisation and can shed any more light on the regulations and the points mentioned above, please get in touch today. Memberwise and Memcom have also run several sessions on the topic so do check out their websites for details.
Our latest research
Thirty minutes is all it takes to contribute to our industry-leading research. Get in touch to take part in our next research and we’ll send you a free copy of the report.
Missed a post?
From influencing your influencers to monetising the latest communications channels, it’s all in the archives, so search away. Click on the arrow to search by category.
Every button, call to action and 404 page is your chance to make mundane messages memorable for members. Here’s what the Lib Dems can teach us
Yes. And No. Here are all sides of the argument. Over the last 26 years I’ve worked with more than a dozen professional membership bodies