General Data Protection Regulation and Associations

My key takeaways from a deep-dive in the "GDPR":

• Associations need to create awareness among their Board and employees on ‘data protection’ – fe. via the organisation of an information session.
• Associations need to update the language of their current privacy notices to integrate active consent (at member subscription, event registration, the website,…).
• Associations need to store their contacts in a structured database with clear identification of the source of the contact and the active consent of the contact.
• Associations need to create a document that describes what data is collected of whom, how these data are stored and protected, what the purpose of the collected data is, what is being done with the data and whom has access to the data. This document should be available for all persons in the database (‘data subjects’.).
• Associations need to include data protection rules in the contractual arrangements with suppliers in case these suppliers handle their data (fe: conference organisers).
• Data subjects should have given consent to be included in the database. For Members this is evident. For past Members: can be kept in the database until they ‘unsubscribe’. For non-Members: ask for active consent to be stored in the database.
• Data from Members, past-Members and non-Members that have given consent and do not unsubscribe, can be stored as long as needed. Other data (unsubscribers) can be stored for research purposes.
• Associations need to assign a controller and identify the processors of data. There is no need to assign a Data Protection Officer as long as the association doesn’t have at least a part-time employee responsible for database management.

Need more insight? Send me a message and receive the full information package.