Earlier this month, we saw United States senators question Facebook CEO Mark Zuckerberg over the company’s handling of user data in the wake of the Cambridge Analytica data breach. 

Senators raised questions that touched on many different elements of the social network, but a common theme continued to surface: imposing regulations to protect user data. 

Senate Judiciary Chairman Chuck Grassley (R-IA) told Zuckerberg, “The industry needs to work with Congress to determine if and how we need to strengthen privacy standards to ensure transparency for billions of consumers. We can’t undo the damage that’s been done, but we can work together in setting new rules of the road for our data.”

While this reaction might seem like knee-jerk regulatory overkill, the European Union formalized their legal framework regarding data privacy and protection two years ago. The General Data Protection Regulation (GDPR) is a wide-sweeping data privacy action, going into effect on May 25, 2018.

For association executives, there are two key questions: Does it apply to me? And if so, what do I need to know?

Step one is to find an attorney who is familiar with the regulation (and ideally with your association) and can offer informed guidance on whether your organization needs to act. The regulation has 99 articles spread over 261 pages—that’s a lot of reading for a busy association executive to pore over and interpret. 

Taylor Mitchell, vice president of technology at the Auto Care Association, has been designated as our association’s GDPR compliance project lead. “The value of working with outside counsel on GDPR compliance is the focus and experience they bring,” Mitchell says. “They are also able to provide unbiased recommendations based on the risks to our organization.”

Although the compliance deadline is fast approaching, there are several steps that you can take to ensure that your association is ready for GDPR.

Of primary consideration is whether your association collects information about EU citizens or residents.  “The standard for applicability is whether you are present in or your products or services are offered for sale or subscription in the European Economic Area, the United Kingdom, or Switzerland,” says Bert Hogeman, principal with Promethean Legal. “It does not matter whether a fee is charged for the products or services.”

If your association fits this description, you should work with counsel to develop an appropriate compliance checklist, which will reduce a massive effort into bite-size tasks. The plan should include deadlines, persons responsible, descriptions of tasks, and commentary associated with each task. Major checklist items include:

Internal audit of personally identifiable information (PII). Depending on how your association stores data, this could be an extensive effort. Consider sources of information beyond your membership database, including accounting records, conference registration systems, learning management systems, payroll systems, and cloud document storage environments. “When you are conducting an audit of PII, it is important to work with every team member,” Mitchell says.  “Organizational sprawl can lead to siloed processes. Unless you have robust security measures in place to constantly look for PII, data review processes are needed.”

Vendor contract review. A key element of the organization’s compliance effort is understanding the compliance readiness of service providers who touch PII. Hogeman offers this advice on reviewing vendor contracts: “It is critical to review all contracts with third parties to determine whether personal data is being processed and who is doing the processing. GDPR imposes direct obligations on both data controllers—the entity that actually determines what personal data is to be processed and for what purpose—and data processors, the entity that does the actual processing of the personal data.”

Data security breach action plan. GDPR mandates that organizations develop action plans in the event of an actual or suspected data breach. Mitchell stresses the importance of timely action in breach plans: “With the new regulations, the window to report the breach has been shortened to 72 hours.  Understanding, reporting, and remediating are all incredibly time intensive, so clear processes are vital to making sure an organization can adhere to the guidelines outlined in the new regulations.”

Lawful basis. GDPR requires that there be a “lawful basis” for processing personal data.  Included as a lawful basis is the consent of the individual.  If relying on consent Mitchell says, “an organization must acquire express consent, for the use of specified data in specified ways.”

Document and data retention and destruction policies. Having a document and data retention or destruction policy is a best practice for all associations, but GDPR introduces a heightened importance for this organizational mainstay. “In all likelihood, existing policies focus on the document aspect of the policy. Under GDPR, the storage, retention, and deletion or destruction of personal data must be clearly and properly addressed,” Hogeman says. “A well-crafted document and data retention and destruction policy requires that the ‘lawful basis’ for retention and use of the personal data be documented.”

Although the compliance deadline is fast approaching, there are several steps that you can take to ensure that your association is ready for GDPR. By working with an informed attorney to develop your checklist, you can divide a seemingly overwhelming effort into smaller tasks.