How to Prepare Your Association for U.S. Data Privacy Laws
Back in the spring, association forums and blogs were buzzing about GDPR myths and facts as the May 25 deadline approached. Five months later, crickets. So, why are we talking about GDPR now and why should you care about GDPR if you’re not a global organization? Because federal regulations are inevitable, so it’s wise to prepare your association for new data privacy laws.
GDPR in a Nutshell
The purpose of GDPR, the European Union’s General Data Protection Regulation, is to return control of personal data back to the individual. The first paragraph of the GDPR states: “The protection of natural persons in relation to the processing of personal data is a fundamental human right.”
The GDPR chapter on the “rights of data subjects” include the:
- Right to access their data
- Right to correct their data
- Right to move their data to another platform or provider
- Right to object or opt out to certain uses of their data
- Right to be forgotten or have their data deleted
If you hold or collect data from any EU citizen, even one record of a member, customer, attendee, student, or prospect who’s an EU citizen, you must comply with GDPR. Ask around on ASAE Collaborate or SAE communities for referrals to consultants who can help you set up the data privacy policies and procedures you’ll need going forward.
Association consultant Terrance Barkan said in a Collaborate discussion:
“GDPR compliance is not as onerous or difficult as most people expect, however, you need to do a proper analysis to determine what compliance looks like for your organization.”
The Increasing Potential for a Federal Data Privacy Law
The U.S. doesn’t have a universal privacy regulation except for heavily regulated industries such as banking and healthcare. But some type of privacy regulation is likely, considering the outrage over recent Facebook and Google data breaches.
Tech companies like Amazon, AT&T, and Apple have spoken to Congress about the need for a federal privacy law. They want to get ahead of any Congressional action so the law won’t be as onerous as the GDPR. Privacy advocates have also testified before Congress. Naturally, they envision a different type of regulation.
The momentum is building among lawmakers to draft data privacy legislation. Sen. Richard Blumenthal said:
“Until there is an effective enforcer at the federal or state level, with federal standards backed by strong resources and authority, consumers will continue to be at risk.”
The Washington Post surveyed cybersecurity leaders and found “they favored federal legislation because it would help replace the patchwork of state laws that govern data breach notification in the United States.” Rep. Jim Langevin has already introduced legislation to create a national breach notification standard. “This is bad for business and bad for consumers, who are treated differently depending on where they live,” he said.
If the U.S. adopts a privacy regulation, it probably won’t be as complicated and expensive as GDPR. But some states have already taken action. The California Consumer Privacy Act of 2018 (CCPA)—called GDPR-lite by many—goes into effect on January 1, 2020.
The CCPA is the toughest privacy law in the country. It doesn’t go as far as GDPR in terms of requirements and penalties, but it gives consumers many rights concerning their personal information. The CCPA applies to organizations that meet or exceed one of the following thresholds:
- Has annual gross revenues of $25 million
- Obtains personal information from 50,000 or more California residents, households, or devices annually
- Generates 50 percent or more annual revenue from selling California residents’ personal information
Depending on your association, you might not have to deal with GDPR or CCPA now, but it’s only a matter of time before federal (or state) regulations affect you too. Get out in front of this issue so you aren’t under duress later. Barkan said:
“It is far better and easier for an organization to adopt best practices and treat all of their data in a similar fashion than it is to try and have unique systems and processes for different jurisdictions.”
How to Prepare Your Association for New Data Privacy Laws
1. Treat this as an opportunity to implement privacy-by-design data practices and standards. Start by putting together a data governance team — a cross-functional team of representatives from departments that collect and use data.
2. Review how your association collects and uses data. In response to GDPR, some associations are creating a data inventory and data flow maps to help them understand how data comes into their organization and how data is used throughout their organization.
3. Develop a data governance plan with policies and practices that take the individual’s privacy into consideration. For example, you may decide to no longer collect data you don’t use, purchase third-party lists, or add business card contact information to your database.
4. Assess and revise your association’s privacy policy. Among other things, it should explain in plain English how your association uses personal data. Make sure landing pages and online forms explain how you use the data website visitors are submitting.
5. Your organization’s disaster recovery and business continuity plan should include a data breach response plan. All states currently require data breach notifications although none are as stringent as GDPR’s 72 hours.
6. Make sure everyone on an email list has opted in to that list. Give members the ability to subscribe and unsubscribe from specific newsletters and types of emails. But, remember, interests and preferences change over time so encourage them to review their selections at least once a year.
7. Review your contracts with technology partners to make sure you can comply with an individual’s right to object, right to be forgotten, and with data breach notifications. Ask your technology partners how they handle your data as a processor, and how they will assist your association as the controller of data.
8. Take this opportunity to provide leadership to your members. Keep them educated about privacy regulations they need to comply with now and will likely have to comply with in the near future. Many of your members may not have the resources to hire consultants so consider providing webinars, checklists, tip sheets, case studies, in-person roundtables, and a data privacy discussion group in your online community.
Data privacy is part of business as usual now. MemberSuite is helping clients comply with data protection regulations, and your association can help your members and member companies stay in compliance by sharing smart data practices with them.
To learn more about GDPR and smart data privacy practices, check out these resources from ASAE: