COVID-19 Update: Artonezero are still operating as normal from home. Read more

Blog

Back to all blogs

How will GDPR affect your membership organisation?

How will GDPR affect your membership organisation

As you are probably aware, on the 25th May 2018 there will be a huge change to the UK’s Data Protection Laws in the form of the General Data Protection Regulation, or GDPR for short.

This change will affect the way in which all B2C and B2B marketers are allowed to store, process and use data.

Membership associations will be no exception to GDPR, therefore it is vital that you are aware and prepared for when GDPR comes into force.

Firstly, what is the Data Protection Act (DPA)?

The DPA was passed in 2000 in response to the 1995 Data Protection Directive, which was created when internet marketing was still in its early days. The DPA is the UK’s law based upon the Europe-wide DPD.

The DPA is defined as:

“An Act to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.”

[16th July 1998]

With the exception of some regulations and specifications that have been added along the way, the DPD has remained relatively unchanged for the past 20 years. However, GDPR – which will be introduced in the UK on the 25th May 2018 – will replace the DPD. A new Act will also follow within 12 months of the GDPR to replace the DPA.

What is the GDPR?

The GDPR is a regulation drawn up by the European Parliament, the Council of the European and the European Commision to give individuals more control over how their data and private information is used online.

The GDPR will change the way that businesses and organisations conduct their marketing and applies if the “data controller” (an organisation or business that collects data from residents of the EU), or “processor” (an organisation or business that processes data on behalf of a data controller), or the “data subject” (the person whose data is being collected) is based in the EU.

The ICO (Information Commissioner’s Office) have published an excellent checklist to test how well-prepared your organisation is for GDPR, as well as telling you what you need to do to prepare. You can find this by clicking here.

In addition, for more information on what the GDPR, you can read our article, “What is GDPR and how will it impact your business?” by clicking here.

What data is protected under the GDPR?

An Individual’s personal data is protected under GDPR. The European Commission‘s definition of personal data is:

“Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, your posts on social networking websites, your medical information, or your computer’s IP address. The EU Charter of Fundamental Rights says that everyone has the right to personal data protection in all aspects of life: at home, at work, whilst shopping, when receiving medical treatment, at a police station or on the Internet.”

Consent and legitimate interest

In the ICO’s guide, “Preparing for the General Data Protection Regulation (GDPR)“, it is stated that, “consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity.” If you are collecting Individual’s data for the purpose of marketing, the ICO states that “[a positive opt-in] must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent.”

So, for B2B marketing purposes, if your content is about products and/or services that are relevant to the recipient’s profession, it can be marketed on an opt-out basis without consent just as long as the method of opting out is clearly defined. On the other hand, if you are marketing to sole traders or partnerships, B2C rules apply, and opt-in consent must be obtained.

Consent doesn’t last forever, and this time factor is determined by the circumstance and context in which consent was obtained. If the circumstances change, or the context is no longer relevant, then the recipient may no longer wish to receive any further marketing communications from your organisation. So for example, if one of your members had given consent to receive communications about an event in 8 months time, they can expect to receive emails about the event up until the event date. Or, in the case of annual membership subscriptions, it would be okay for you to contact members about an approaching renewal window. However, it would not be ok to email them the following year if they didn’t renew or give any other indication that they wish to continue receiving communications. In addition, if at any point a member expressed a desire to unsubscribe from your organisation’s communications then you should not send them any more communications.

On the other hand, “legitimate interest” is a less clear and much-debated subject, as you can see in paragraph 47. Once an organisation has received a subject’s consent to processing their data, the organisation may use other personal data (such as the subject’s purchase history or location) to personalise their marketing as long as they can prove that it is of legitimate interest to the subject.

What happens to organisations who don’t comply with the GDPR?

One of the biggest, and most talked about, elements of the GDPR is the power for regulators to fine businesses that fail to comply with it. If an organisation doesn’t process an individual’s data in the correct way, it can be fined. In addition, if an organisation requires a data protection officer and doesn’t appoint one, it can also be fined. Furthermore, if an organisation faces a security breach, it can be fined.

According to MLaw Group:

“The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonisation of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover.”

According to Article 83 paragraphs 4 and 5 of the GDPR, the following sanctions can be imposed on organisations that do not comply:

  • a warning in writing in cases of first and non-intentional non-compliance
  • regular periodic data protection audits
  • a fine up to €10,000,000 or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater
  • a fine up to €20,000,000 or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater depending on severity

How will Brexit affect the GDPR?

The European Commission recently released newly drawn up position papers on how Brexit will be affected by GDPR. This came shortly after the UK Government issued their own position papers on the subject. The main point to take away is that the UK Government has agreed to wholly comply with the EU data protection law, stating: “At the point of our exit from the EU, the UK’s domestic data protection rules will be aligned with the EU data protection framework.”

This will mean that in order to maintain the free flow of data, EU data protection law will become UK law. Brexit shouldn’t affect the GDPR and changes to the DPA in the future as far as we can currently see.

What should you do now?

To ensure that your membership organisation complies with GDPR, there are a few things that you need to do. When a new member joins your organisation, you need to be explicit with them about what you are using their data for and ask them for their consent to process their data, and use it to market to them. The issue of consent is very important when implementing the new regulations, and whether you are marketing is either B2B or B2C will affect you. Valid consent must be explicit for any data collected, and the subject must be aware of what you intend to do with their data. Data controllers must also be able to prove “consent” and consent may be withdrawn at any time.

When a new member joins your organisation, you can ask them for their consent to sign-up to email marketing, or other business communications, and you will need to state what it will entail – for example, events, renewals, referrals, discounts – and tell them that they are free to update their preferences at any time.

You must also remember that consent doesn’t last forever. As a best practice, if you are relying on consent that is six months or older you should check to see if the original consent is still valid. The question that you need to ask yourself is whether or not it is still reasonable to treat the consent as an ongoing indication of the person’s current wishes to receive your organisation’s marketing communications.

The May 2018 deadline is now just around the corner, and if you haven’t already started in getting your organisation GDPR compliant, now is definitely the time to do so!

Dedicate time to understand all that you need to do to become compliant, and use the practical tips in this article to help get you started. Then, create a strategic plan of action to become GDPR compliant so that when May 2018 comes you will be ready and able to answer all of your customers’ questions regarding compliance.

If you need more information about how GDPR affects your customer data, or if you have are concerns that your organisation is not compliant, then contact us today.

You may also like...

ryan-riggins-213451.jpg

10 tips for purchasing a CRM system for your small business

When choosing a new CRM system, many small businesses share similar expectations and requirements as their larger corporate counterparts. Usually, the main factor that separates the two is that smaller businesses have limited access to resources. Despite limitations, small businesses can still purchase a CRM that caters to their needs, it is just a matter of knowing what to look for. With this, we wanted to share our 10 tips for purchasing a new CRM system for your small business.

Digital Marketing

Aug 15, 2017

Ten digital and web design tips to improve user experience

Ten digital and web design tips to improve user experience

After your users have signed up, you want them to get the most out of being part of your organisation. But very often users sign up and fail to engage; because the organisation doesn’t reach out to them in the right way. Here are our top tips for how to make sure they really engage with you and what you’re offering.

UX Design

Feb 23, 2016

Improving Member Engagement with Personalised Digital Content

While delivering content can help you achieve both of these things, many membership organisations deliver content to their members that is valuable, but generic and not tailored to the individual member’s needs. Personalisation of content allows you to use the information that your organisation has gathered to deliver targeted and personalised online content to individual members based on their own interests and engagement habits.

Content Marketing

Sep 30, 2016

Some of our work

We'd love to hear from you!

Email anytime, or call us on 020 301 103 90 during office hours.