4 Oct 2021

Data protection - how GDPR affects your organisation

Download the leaflet (pdf)
The General Data Protection Regulation (GDPR) is a new EU-wide regulation that came into force on 25th May 2018. It superseded the UK’s Data Protection Act 1998 (DPA). If you are required to comply with the DPA then you will be required to comply with GDPR.

Britain’s exit from the EU will NOT affect the enforcement of this regulation. And, if you operate in the EU, it applies to you even if you are not based in the EU.

What are the key changes?

GDPR aims to put control of personal data back in the hands of the customer. It also focuses on bringing an international consistency to data protection rules.

It affects data ‘controllers’ and ‘processors’

Previously, under the DPA, processors had fewer obligations. Not any more. If you have anything
to do with customer data you need to adhere to data regulations.

Online identifiers like IP addresses and cookies are now included

If you use Google Analytics or any other website tracking tools this change affects you. You will need to consider how you gather and manage this data.

You need to prove you are ‘lawfully processing’ contact data

There are three ways in which you can do this:

  • Consent from the ‘data subject’ (the individual) - this will be the most common method BUT it is not the only one
  • For the necessary performance of a contract/service
  • It is in the data controller’s legitimate interest - this is a delicate method as you must balance the individual’s needs with the business’s needs. Beware - this sounds like the easy option but the Information Commissioner’s Office (ICO) will be watching organisations claiming this method carefully

You may use different lawful processing methods for different types of data, that’s fine. But, remember, consent is required for each type of data collected - this is known as ‘granular consent’.

Recording of consent

If choosing the consent method, you must record the fact that consent has been given, preferably in your CRM system. You will need to record who consented & how, when consent was given and what the consent policy was at the time.

Privacy by design

In order to ensure you can effectively do what’s required, such as recording consent, the regulation suggests you follow a ‘privacy by design’ attitude. Work with your various data management providers (email marketing platforms, CRM systems etc.) to ensure that your contact data is suitably protected.

Data protection officer

If you are a public authority, or carry out large scale monitoring of individuals or carry out large scale processing of data, you will need to appoint a Data Protection Officer.

Data impact assessments

If you process sensitive data - e.g. race, ethnicity, political opinions, biometric/genetic, religious beliefs, trade union membership, physical/mental health, sexual life, criminal offences - or if you are deploying a new technology, you will need to conduct a Data Impact Assessment.

A person’s rights are increased

Under GDPR, people’s rights are increased. They have more rights to access their own data; the right to be forgotten by your organisation; and they now have the right to object to being profiled (generally done for automated marketing purposes). They also have the right to move their data to another organisation and you have to provide it in an easy to use format.

Data breaches

You must now have a process in place to detect, report and investigate data breaches. You must also now report data breaches to the ICO within 72 hours.

Download the leaflet (pdf)

Related news & insights
News
09 November 2023

MemberWise Digital Excellence Report 2023/24

MemberWise launches their latest DigX report highlighting key trends and challenges faces by professional associations

Best practice Associations News Dynamics 365
Product demo
13 October 2023

Microsoft Sales Copilot

Check out a short demonstration of how to use Microsoft Sales Copilot in Outlook and Dynamics 365 to summarise your deals and draft relevant emails

Best practice AI Membership organisations Product demo
Whitepaper
06 February 2023

The importance of managing your member data

Don’t let your data quality let your CRM down

Best practice Data Whitepaper Dynamics 365

What do you need to do?

Conduct an audit

Understand where you stand currently when comparing your current data practices against new GDPR requirements. Create a plan of what needs addressing.

Review all internal policies

What’s missing, what needs updating?

Review your consent notices

Are you asking for consent at every point of data collection? Are you providing the opportunity to opt-out at each point (granular consent)?

Ensure all your data system providers are compliant

Are all your data system providers compliant? You have a responsibility to make sure they are, or to not use them if they are not.

Download the leaflet (pdf)

Related articles
Webinar
Tuesday 21st January, 9.30-10.30am

Boost Your B2B Member Engagement with AI and Dynamics

Trade Associations will learn from the LMA why smartmembership has been such a leading system for over 10 years

Best practice Modernisation AI Trade associations smartmembership smartawards
Demonstration
Tuesday 10th December, 9.30-10.30am

UX for All: Building a User Experience culture across your organisation

We’re thrilled to be presenting with our customer RTPI and Hart Square on how to build great User Experiences

Best practice Engagement Dynamics 365 Umbraco
Webinar
Tuesday 7th October, 9.30-10.30am

CRM, Web, Mobile apps, LMS - do I need them all, and should I put them all in at the same time?

Uncertain about implementing digital tools? Learn how to prioritise and adopt CRM, web, apps, and LMS effectively.

Best practice Systems integration Websites Portals