How will GDPR affect your membership organisation?
As you are probably aware, on the 25th May 2018 there will be a huge change to the UK’s Data Protection Laws in the form of the General Data Protection Regulation, or GDPR for short.
This change will affect the way in which all B2C and B2B marketers are allowed to store, process and use data.
Membership associations will be no exception to GDPR, therefore it is vital that you are aware and prepared for when GDPR comes into force.
Firstly, what is the Data Protection Act (DPA)?
The DPA was passed in 2000 in response to the 1995 Data Protection Directive, which was created when internet marketing was still in its early days. The DPA is the UK’s law based upon the Europe-wide DPD.
The DPA is defined as:
“An Act to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.”
[16th July 1998]
With the exception of some regulations and specifications that have been added along the way, the DPD has remained relatively unchanged for the past 20 years. However, GDPR – which will be introduced in the UK on the 25th May 2018 – will replace the DPD. A new Act will also follow within 12 months of the GDPR to replace the DPA.
What is the GDPR?
The GDPR is a regulation drawn up by the European Parliament, the Council of the European and the European Commision to give individuals more control over how their data and private information is used online.
The GDPR will change the way that businesses and organisations conduct their marketing and applies if the “data controller” (an organisation or business that collects data from residents of the EU), or “processor” (an organisation or business that processes data on behalf of a data controller), or the “data subject” (the person whose data is being collected) is based in the EU.
The ICO (Information Commissioner’s Office) have published an excellent checklist to test how well-prepared your organisation is for GDPR, as well as telling you what you need to do to prepare. You can find this by clicking here.
In addition, for more information on what the GDPR, you can read our article, “What is GDPR and how will it impact your business?” by clicking here.
What data is protected under the GDPR?
An Individual’s personal data is protected under GDPR. The European Commission‘s definition of personal data is:
“Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, your posts on social networking websites, your medical information, or your computer’s IP address. The EU Charter of Fundamental Rights says that everyone has the right to personal data protection in all aspects of life: at home, at work, whilst shopping, when receiving medical treatment, at a police station or on the Internet.”
Consent and legitimate interest
In the ICO’s guide, “Preparing for the General Data Protection Regulation (GDPR)“, it is stated that, “consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity.” If you are collecting Individual’s data for the purpose of marketing, the ICO states that “[a positive opt-in] must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent.”
So, for B2B marketing purposes, if your content is about products and/or services that are relevant to the recipient’s profession, it can be marketed on an opt-out basis without consent just as long as the method of opting out is clearly defined. On the other hand, if you are marketing to sole traders or partnerships, B2C rules apply, and opt-in consent must be obtained.
Consent doesn’t last forever, and this time factor is determined by the circumstance and context in which consent was obtained. If the circumstances change, or the context is no longer relevant, then the recipient may no longer wish to receive any further marketing communications from your organisation. So for example, if one of your members had given consent to receive communications about an event in 8 months time, they can expect to receive emails about the event up until the event date. Or, in the case of annual membership subscriptions, it would be okay for you to contact members about an approaching renewal window. However, it would not be ok to email them the following year if they didn’t renew or give any other indication that they wish to continue receiving communications. In addition, if at any point a member expressed a desire to unsubscribe from your organisation’s communications then you should not send them any more communications.
On the other hand, “legitimate interest” is a less clear and much-debated subject, as you can see in paragraph 47. Once an organisation has received a subject’s consent to processing their data, the organisation may use other personal data (such as the subject’s purchase history or location) to personalise their marketing as long as they can prove that it is of legitimate interest to the subject.
What happens to organisations who don’t comply with the GDPR?
One of the biggest, and most talked about, elements of the GDPR is the power for regulators to fine businesses that fail to comply with it. If an organisation doesn’t process an individual’s data in the correct way, it can be fined. In addition, if an organisation requires a data protection officer and doesn’t appoint one, it can also be fined. Furthermore, if an organisation faces a security breach, it can be fined.
According to MLaw Group:
“The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonisation of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover.”
According to Article 83 paragraphs 4 and 5 of the GDPR, the following sanctions can be imposed on organisations that do not comply:
- a warning in writing in cases of first and non-intentional non-compliance
- regular periodic data protection audits
- a fine up to €10,000,000 or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater
- a fine up to €20,000,000 or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater depending on severity
How will Brexit affect the GDPR?
The European Commission recently released newly drawn up position papers on how Brexit will be affected by GDPR. This came shortly after the UK Government issued their own position papers on the subject. The main point to take away is that the UK Government has agreed to wholly comply with the EU data protection law, stating: “At the point of our exit from the EU, the UK’s domestic data protection rules will be aligned with the EU data protection framework.”
This will mean that in order to maintain the free flow of data, EU data protection law will become UK law. Brexit shouldn’t affect the GDPR and changes to the DPA in the future as far as we can currently see.
What should you do now?
To ensure that your membership organisation complies with GDPR, there are a few things that you need to do. When a new member joins your organisation, you need to be explicit with them about what you are using their data for and ask them for their consent to process their data, and use it to market to them. The issue of consent is very important when implementing the new regulations, and whether you are marketing is either B2B or B2C will affect you. Valid consent must be explicit for any data collected, and the subject must be aware of what you intend to do with their data. Data controllers must also be able to prove “consent” and consent may be withdrawn at any time.
When a new member joins your organisation, you can ask them for their consent to sign-up to email marketing, or other business communications, and you will need to state what it will entail – for example, events, renewals, referrals, discounts – and tell them that they are free to update their preferences at any time.
You must also remember that consent doesn’t last forever. As a best practice, if you are relying on consent that is six months or older you should check to see if the original consent is still valid. The question that you need to ask yourself is whether or not it is still reasonable to treat the consent as an ongoing indication of the person’s current wishes to receive your organisation’s marketing communications.
The May 2018 deadline is now just around the corner, and if you haven’t already started in getting your organisation GDPR compliant, now is definitely the time to do so!
Dedicate time to understand all that you need to do to become compliant, and use the practical tips in this article to help get you started. Then, create a strategic plan of action to become GDPR compliant so that when May 2018 comes you will be ready and able to answer all of your customers’ questions regarding compliance.
If you need more information about how GDPR affects your customer data, or if you have are concerns that your organisation is not compliant, then contact us today.