Time’s up! GDPR—the European Union’s General Data Protection Regulation—went into effect on May 25, 2018. Since the EU approved GDPR on April 14, 2016, association technology firms have had lots of time to prepare for GDPR. In this post, we describe what your technology providers should do to help your association comply with GDPR.
We also provide tips on some of the things staff should do to help their associations comply with GDPR—just in case you haven’t done them already. But, please keep this caveat in mind: we’re not providing legal advice here, we’re merely sharing some of our thoughts on GDPR compliance.
As the GDPR deadline approached, the full impact of this new regulation became more apparent. Complying with GDPR isn’t only about developing a new privacy statement and opt-in forms. It also means:
GDPR forces all of us to treat the data we collect and use with more purpose and transparency.
Since GDPR governs the personal data of EU citizens, many wonder why their association has to worry about it. Well, are you completely confident that you haven’t tracked or collected (or won’t collect in the future) the personal data of any EU citizens? Here are a few ways an EU citizen could end up in one of your systems:
Many privacy experts believe the US and other nations will adopt similar regulations given the ongoing complaints about Facebook and Google data practices. Just this week, a US senator said:
“Facebook’s secret data sharing partnerships raise urgent new reasons for stronger privacy protections—beginning with a privacy bill of rights modeled on Europe’s new rules (GDPR).”
By complying with GDPR, you’re ahead of the game.
The people who use your LMS or subscribe to a newsletter have voluntarily entered a mutually beneficial relationship with you, that’s true, but relationships change. You must be prepared to comply with their requests concerning their personal data.
The GDPR comes with its own set of jargon.
Data processors—your software partners—can help your association remain GDPR-compliant by providing the features and functionality you need to follow the rules. Technology should be GDPR-friendly and administrator-friendly—that’s what you should expect.
Let’s take a look at the different areas of GDPR compliance: what you should expect from your technology partners and what you need to work on yourself.
You can’t assume system users are okay with you using their data because they’re using your system—although common sense would lead you to believe that. You have to be up-front and transparent about what you’re going to do with their personal data.
Right from the start, tell users:
Your association must have the ability to add a privacy policy (or statement) to your LMS which outlines how you use the personal data stored within the system. Your system should give you the option to ask users to accept these terms and conditions before they can access the software, for example, when they log in or during the course purchase or registration process. Give them the opportunity to read the statement and check a box to consent.
A pre-checked box doesn’t count as consent. Passive acceptance doesn’t count either. You can’t assume someone consents because they didn’t raise an objection when you emailed your policy to everyone.
You must be able to prove that users gave their consent to the ways you plan to use their data, for example, storing their personal data in your LMS, sending marketing messages about educational programs, and sending notifications about the online course they’re taking. Administrators should be able to track when users have agreed to a particular version of a policy with a time-stamped audit trail.
If your privacy terms change, you should be able to require users to re-accept them the next time they access the system. You also must have a way to identify anyone who needs to consent to an updated policy.
The GDPR stipulates that “only personal data which are necessary for each specific purpose” should be collected. Make a plan to regularly review the data in your care so you can decide to stop collecting data you no longer need. Document everything you decide: why you collect certain types of data, how you’re using it, and who has access to it.
Develop a process for reviewing old records. For example, you need to keep educational history but should you keep former students on your marketing list if they haven’t opened an email in three years? Develop prospect-friendly marketing practices that are in compliance with GDPR.
If a system user has a question or request concerning their personal data, you must be able to respond quickly. Users have the right to see what data you have. You need a process in place to comply with their request and your system must be able to handle that process.
Users also must be allowed to update, correct, or complete their profile information in your LMS, AMS, and other systems, or contact the administrator to have it updated.
Data subjects have the “right to object” or opt out of certain uses of their data, for example, marketing emails. Give people control over what they receive from you—they’re more likely to opt in to certain communications when they have a choice. Maybe they want emails about their membership renewal but not marketing emails—that’s up to them, not you. Emails are considered essential, in the GDPR context, if you have a legitimate reason for sending them. You may need to inform your users that they cannot opt out of email notifications from your LMS because those emails are a core element in their education program.
You must have the ability to set up workflows and processes so you can respond to these requests—make sure your system has that functionality.
Security should always be a focus for your technology partners. If your software provider causes a breach, your association is still liable. Make sure your system partners have processes in place for regularly testing and assessing the effectiveness of their cybersecurity measures. Don’t be shy. Ask them for details so you can feel confident about the security of the data in your care.
If a breach of security occurs, you must meet the 72 hour deadline established by GDPR. How will you know when a breach occurs? Ask your vendor for those details.
On your side, regularly review who has access to the data you collect. Work with your IT team to ensure that staff are following the appropriate security measures. Require security awareness training for any staff with access to data.
EU citizens have the “right to forget” or delete their data. You must be able to permanently delete a user, if they request it, as well as all records of them from any underlying audit trails and records. If you need that data for system critical records, you must have the ability to pseudonymize it. Develop a process for requests of this type and ask your vendor how you can use their system to comply.
Users have the right to move their data from your system to another service provider. They may want to transfer records of the online courses they’ve taken, certifications received, and the records of external courses or learning objects they entered into your LMS. If a request for data records is made, your association must meet the one-month deadline set in GDPR.
You must be able to export a person’s data in a user-friendly format: “a structured, commonly used and machine-readable format.” You should document how your system will make data transfer requests possible.
Hopefully, all your technology vendors were GDPR-compliant before the deadline, after all, their business depends upon it. However, even though GDPR has been a hot topic in the association community, the conversation may not have reached everyone on staff at your association.
Do not assume your colleagues understand this new regulation or how your association has to think and act differently with the data in your care. Require GDPR training for anyone who has access to member, customer, prospect, and user data. It’s best for staff to follow GDPR-friendly marketing practices. For example, if they are given a business card by a prospect, it’s not “helpful” to add that person’s email address to marketing lists without documented consent.
If you don’t already have a cross-departmental data governance group, there’s no better time to establish one. Give this group the authority and responsibility to develop and evaluate data policies and practices.
Although GDPR may bring temporary headaches, it also provides the opportunity to improve practices for the long-term. Association technology consultant David DeLorenzo advised in a DelCor Technology Solutions post:
“Develop a policy of ‘privacy by design.’ Privacy must become an integral part of your business. Establish data protection safeguards in products and services from the very start, not as an afterthought, and strengthen contract language around data privacy.”
The “privacy by design” approach allows your members, customers, and LMS users more control over the data they provide. GDPR gives your association the opportunity to demonstrate the care and respect you have for their personal data. You may not have to apply GDPR measures to non-European members and customers, but as responsible stewards of their data, the GDPR-friendly approach will earn their trust and strengthen your relationship with them.
