3 Steps Associations Can Take After GDPR Enforcement

Post-GDPR July 16, 2018 By: Thomas F. Kelly

GDPR enforcement is here to stay, and there are many challenges and opportunities for associations looking to get their data house in order. Here are three steps that leaders should take to reach compliance.

To say it’s been a hectic few weeks in the world of data security would be a massive understatement. Before May 25, you likely received a series of emails from online service providers outlining their new-and-improved privacies, now compliant with the European Union’s General Data Protection Regulation. In the days leading up to enforcement, GDPR became, as Quartz reported, “bigger than Beyoncé.”

Such worries about data protection, even if they are comical, are completely understandable. The scope of GDPR is so massive that some have questioned whether total compliance is even achievable. So, if your organization is behind the ball, you’re far from alone.

A month before the GDPR compliance deadline, analytics company SAS released survey results on preparedness. The main finding: Despite having two years to prepare, 93 percent of organizations admitted that they weren’t compliant at the time.

The new laws pose a challenge and opportunity for associations. As reported in Associations Now, associations’ data pools are often sprawling and amorphous. This makes compliance far trickier than it might be for traditional businesses, but if your association can manage to get its data house in order, it will be well-equipped to handle the new level of data security mandated by GDPR. With that in mind, here are a few things to consider now that GDPR enforcement is here.

1. Own your leadership role. Although more than a month has passed since SAS reported its survey results, it’s entirely likely that staff within your association are scrambling to reach compliance.

There is a remarkable opportunity right now to add value to your organization and demonstrate that you have the necessary skills and expertise to navigate GDPR’s challenges. This could take any number of forms. You could, for instance, host a GDPR-themed catch-up tutorial, walking members through what they need to do to comply and giving them a space to share any challenges or solutions they’ve encountered during the process.

Additionally, members may be looking to you to recommend vendors that can do association business and maintain GDPR compliance. Whether those vendors are event planners, cybersecurity firms, or outside communications and marketing consultants, you’ll need to vet these partners to make sure they’re compliant as well.

2. Convene your board. GDPR has forced a new conversation about how to protect consumer data, but equally important is the board conversation on how to protect stakeholders’ interests. In the rapid-fire pace of online information and social media, one dissatisfied member or customer who knows how you’ve mishandled their personal data could quickly turn into an issue for your organization’s brand and reputation.

Many boards take risks like competitors and management hiring into account, but few consider cybersecurity threats as an issue deserving of their attention, leaving it to the chief information officer or IT department. But with discussions on data security fresh in everyone’s minds, these next few weeks and months are an excellent time to convene your board and consider the vital role that cybersecurity plays in protecting your association’s interests.

There is a remarkable opportunity right now to add value to your organization and demonstrate that you have the necessary skills and expertise to navigate GDPR’s challenges.

Have board leadership take stock of what sensitive data is in your possession and what you’re doing to protect it. Then, consider if there are any other steps you can take to tighten cybersecurity, whether it’s creating a board committee for cybersecurity issues or requesting a report on office digital hygiene practices.

There’s no denying that these issues are a new frontier for most boards, but in a day and age where data breaches are the norm, taking them into account sooner rather than later is one of the best things you can do to protect your reputation and stakeholders’ interests.

3. Leverage your network. Social media platforms like LinkedIn, Facebook, and Twitter are marketed as extensions of your personal network—a result of organic, real-world connections and shared interests. The ad-based model these companies use complicates that narrative. Much of the content that reaches you is the result of a targeted strategy, not spontaneous sharing.

GDPR, however, gives users far more control over what data they share, which is good news for associations and bad news for advertisers, who will have far less information to use when targeting consumers. It may force them to make use of organic connections and influencers who share their content, something that associations have in spades.

So, when considering your marketing strategy for the year ahead, be sure to leverage your network to bolster earned-media efforts as a potential opportunity. The sector-wide connections that are the bread and butter of your organization may be the boon of the post-GDPR digital landscape.

Thomas F. Kelly

Thomas F. Kelly is a Silicon Valley serial entrepreneur and expert in cybersecurity technologies. He is president and CEO of ID Experts in Portland, Oregon.