COVID-19 Update: Artonezero are still operating as normal from home. Read more

Blog

Back to all blogs

How will GDPR affect your membership organisation?

How will GDPR affect your membership organisation

As you are probably aware, on the 25th May 2018 there will be a huge change to the UK’s Data Protection Laws in the form of the General Data Protection Regulation, or GDPR for short.

This change will affect the way in which all B2C and B2B marketers are allowed to store, process and use data.

Membership associations will be no exception to GDPR, therefore it is vital that you are aware and prepared for when GDPR comes into force.

Firstly, what is the Data Protection Act (DPA)?

The DPA was passed in 2000 in response to the 1995 Data Protection Directive, which was created when internet marketing was still in its early days. The DPA is the UK’s law based upon the Europe-wide DPD.

The DPA is defined as:

“An Act to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.”

[16th July 1998]

With the exception of some regulations and specifications that have been added along the way, the DPD has remained relatively unchanged for the past 20 years. However, GDPR – which will be introduced in the UK on the 25th May 2018 – will replace the DPD. A new Act will also follow within 12 months of the GDPR to replace the DPA.

What is the GDPR?

The GDPR is a regulation drawn up by the European Parliament, the Council of the European and the European Commision to give individuals more control over how their data and private information is used online.

The GDPR will change the way that businesses and organisations conduct their marketing and applies if the “data controller” (an organisation or business that collects data from residents of the EU), or “processor” (an organisation or business that processes data on behalf of a data controller), or the “data subject” (the person whose data is being collected) is based in the EU.

The ICO (Information Commissioner’s Office) have published an excellent checklist to test how well-prepared your organisation is for GDPR, as well as telling you what you need to do to prepare. You can find this by clicking here.

In addition, for more information on what the GDPR, you can read our article, “What is GDPR and how will it impact your business?” by clicking here.

What data is protected under the GDPR?

An Individual’s personal data is protected under GDPR. The European Commission‘s definition of personal data is:

“Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, your posts on social networking websites, your medical information, or your computer’s IP address. The EU Charter of Fundamental Rights says that everyone has the right to personal data protection in all aspects of life: at home, at work, whilst shopping, when receiving medical treatment, at a police station or on the Internet.”

Consent and legitimate interest

In the ICO’s guide, “Preparing for the General Data Protection Regulation (GDPR)“, it is stated that, “consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity.” If you are collecting Individual’s data for the purpose of marketing, the ICO states that “[a positive opt-in] must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent.”

So, for B2B marketing purposes, if your content is about products and/or services that are relevant to the recipient’s profession, it can be marketed on an opt-out basis without consent just as long as the method of opting out is clearly defined. On the other hand, if you are marketing to sole traders or partnerships, B2C rules apply, and opt-in consent must be obtained.

Consent doesn’t last forever, and this time factor is determined by the circumstance and context in which consent was obtained. If the circumstances change, or the context is no longer relevant, then the recipient may no longer wish to receive any further marketing communications from your organisation. So for example, if one of your members had given consent to receive communications about an event in 8 months time, they can expect to receive emails about the event up until the event date. Or, in the case of annual membership subscriptions, it would be okay for you to contact members about an approaching renewal window. However, it would not be ok to email them the following year if they didn’t renew or give any other indication that they wish to continue receiving communications. In addition, if at any point a member expressed a desire to unsubscribe from your organisation’s communications then you should not send them any more communications.

On the other hand, “legitimate interest” is a less clear and much-debated subject, as you can see in paragraph 47. Once an organisation has received a subject’s consent to processing their data, the organisation may use other personal data (such as the subject’s purchase history or location) to personalise their marketing as long as they can prove that it is of legitimate interest to the subject.

What happens to organisations who don’t comply with the GDPR?

One of the biggest, and most talked about, elements of the GDPR is the power for regulators to fine businesses that fail to comply with it. If an organisation doesn’t process an individual’s data in the correct way, it can be fined. In addition, if an organisation requires a data protection officer and doesn’t appoint one, it can also be fined. Furthermore, if an organisation faces a security breach, it can be fined.

According to MLaw Group:

“The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonisation of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover.”

According to Article 83 paragraphs 4 and 5 of the GDPR, the following sanctions can be imposed on organisations that do not comply:

  • a warning in writing in cases of first and non-intentional non-compliance
  • regular periodic data protection audits
  • a fine up to €10,000,000 or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater
  • a fine up to €20,000,000 or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater depending on severity

How will Brexit affect the GDPR?

The European Commission recently released newly drawn up position papers on how Brexit will be affected by GDPR. This came shortly after the UK Government issued their own position papers on the subject. The main point to take away is that the UK Government has agreed to wholly comply with the EU data protection law, stating: “At the point of our exit from the EU, the UK’s domestic data protection rules will be aligned with the EU data protection framework.”

This will mean that in order to maintain the free flow of data, EU data protection law will become UK law. Brexit shouldn’t affect the GDPR and changes to the DPA in the future as far as we can currently see.

What should you do now?

To ensure that your membership organisation complies with GDPR, there are a few things that you need to do. When a new member joins your organisation, you need to be explicit with them about what you are using their data for and ask them for their consent to process their data, and use it to market to them. The issue of consent is very important when implementing the new regulations, and whether you are marketing is either B2B or B2C will affect you. Valid consent must be explicit for any data collected, and the subject must be aware of what you intend to do with their data. Data controllers must also be able to prove “consent” and consent may be withdrawn at any time.

When a new member joins your organisation, you can ask them for their consent to sign-up to email marketing, or other business communications, and you will need to state what it will entail – for example, events, renewals, referrals, discounts – and tell them that they are free to update their preferences at any time.

You must also remember that consent doesn’t last forever. As a best practice, if you are relying on consent that is six months or older you should check to see if the original consent is still valid. The question that you need to ask yourself is whether or not it is still reasonable to treat the consent as an ongoing indication of the person’s current wishes to receive your organisation’s marketing communications.

The May 2018 deadline is now just around the corner, and if you haven’t already started in getting your organisation GDPR compliant, now is definitely the time to do so!

Dedicate time to understand all that you need to do to become compliant, and use the practical tips in this article to help get you started. Then, create a strategic plan of action to become GDPR compliant so that when May 2018 comes you will be ready and able to answer all of your customers’ questions regarding compliance.

If you need more information about how GDPR affects your customer data, or if you have are concerns that your organisation is not compliant, then contact us today.

You may also like...

eea898361c73b8f01129ed60e4c151d7.jpg

What is GDPR and how will it impact your business?

Dell and Dimension Research carried out a study of more than 800 IT and business professionals that are responsible for data privacy at companies with European customers and found that 80% of businesses know few details or nothing about GDPR. The study found that a shocking 97% of companies don’t have a plan in place for when GDPR kicks off in 2018. In this article, we will explain what GDPR is, how it will impact your business and offer some practical tips to help you be prepared for when GDPR comes into effect on the 25th May.

GDPR

Feb 23, 2018

Important Information about Expanded Text Ads in Google AdWords

Recently Google announced the upcoming introduction of AdWords Expanded Text Ads. This will be quite a significant change in the way that AdWords works, so in this article, we wanted to explain to you some important information that you will need to know about the new ad format.

SEO

Jul 18, 2016

5-tips-to-boost-social-media-lead-generation.jpg

5 tips to boost social media lead generation

Whether you are an SME or a large corporate organisation, you will no doubt be aware of the positive impact that social media can have on your marketing strategy. With 80% of marketers reporting that their lead generation efforts are only slightly or somewhat effective, it’s well worth looking into how social media can be leveraged as part of a successful lead generation strategy. In this article, we will talk about some basic tips social media for social media lead generation, and five simple tactics you can you use to help your business improve its leads.

Social Media

Aug 2, 2018

Some of our work

We'd love to hear from you!

Email anytime, or call us on 020 301 103 90 during office hours.