On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) goes into effect. According to the EU’s GDPR website, the new law is “designed to harmonize data-privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organizations across the region approach data privacy.” The impact on any organization that collects information from EU citizens — including associations that hold meetings in Europe or host attendees from Europe — will be sweeping. In an article written for EU-based Boardroom magazine, which has a content-sharing agreement with Convene, attorney Benjamin Docquir — head of the information-technology and intellectual-property law department at Osborne Clarke in Brussels — explains what you need to know.
In order to move toward greater compliance with the GDPR, associations should pay a good deal of attention to the following areas:
› Mapping data flows and the entities responsible for them
One of the cornerstones of the GDPR is that organizations, including associations, must be able to identify what categories of personal data they process and who may decide on the usage of such personal data. The entity identified as the “data controller” is accountable for the processing of personal data vis-à-vis the individuals concerned (e.g., the employees or the individual members of an association), and must be ready to answer requests from regulatory authorities.
Where an association is active on a global scale or across several countries, including outside the European Union, the GDPR may nevertheless be entirely applicable. The data controller must therefore ascertain whether and to what extent the GDPR applies to its activities and, where necessary, appoint a representative in the European Union.
Not only must the data controller have a comprehensive view of data flows and data-processing operations, he or she must also determine and implement appropriate policies and measures to ensure that the provisions of the GDPR are fully respected. Such measures will generally include drafting a comprehensive data-protection policy, which will disclose in plain language the policies and practices of the association with respect to the processing of personal data.
In addition, certain associations will have the legal duty to appoint a “data-protection officer” — i.e., an internal or external resource with a sound knowledge of data-protection law and practice, tasked with assisting and advising the data controller with the many requirements imposed by the GDPR.
› Implementing the rights of employees and members
Generally speaking, associations are likely to process the personal data of (1) their employees and internal resources, and(2) their individual members. The GDPR gives “data subjects” — i.e., the people whose data is processed — a number of rights in order to reinforce the degree of transparency and control over their personal data.
As a result, associations must be prepared to inform their employees and members in a comprehensive manner — through the data-protection policy or by giving them notice of a specific document — and make sure that they are provided with information such as the categories of data processed, the purposes of processing, the legitimate aims pursued by the association, the storage duration of the categories of data, the recipients or categories of recipients of data, etc.
Individuals also have the right to request access to a copy of their personal data and, in some cases, to have the data corrected or erased, or to have the association put an end to some aspects of the processing operations. Associations must therefore put in place appropriate internal processes and ensure that such requests from employees or members — or other data subjects — are answered within the legally applicable timeframe of one month.
› Managing relationships and contracts with data processors
Data controllers may entrust an external entity — called the “data processor” — with a number of tasks on their behalf. In such situations, associations must carefully select the external provider, but also make sure that there is a written agreement in place that takes full account of all the requirements under the GDPR. The first and foremost of such requirements is that the data processor must process the personal data only upon the documented instructions of the data controller.
Again, associations must therefore have a clear picture of what categories of data they are making available or transmitting to their data processors, so as to be able to keep control of such data. Other topics that must be addressed in the written agreement with the data processors include security requirements, notification of data breaches, the obligation to take part in audits, and the duty to assist the association when dealing with a request from a member or an employee.
Existing agreements currently in place need to be reviewed to ensure that associations are complying with their legal duties as of May 25, 2018. For future agreements, a template should be created so that associations can rely on it to make sure that their agreements with various data processors are aligned with the legal GDPR requirements.
› Creating and maintaining a register of data-processing operations
Associations must set up — and keep updated — a register describing their data-processing operations. This register may be kept in English. It must be made available on request to the regulators, and contain a description of the categories of data processed, the purposes of the processing, the recipients or categories of recipients of data, and the existence (if any) of transfers of data outside the European Union or the European Economic Area (EEA).
The register may be kept in electronic form. The GDPR does not impose a specific format. A spreadsheet may be sufficient as long as it is com- pliant with the GDPR’s requirements regarding the content of the register.
› Implementing security measures and data-breach notification procedures
Associations must determine and implement appropriate security measures and policies to address the potential risks to the rights and freedoms of individuals whose data is processed. Those measures may include encryption, pseudonymization, access control and access management, and employee training.
Whenever a security incident occurs that may trigger an additional risk for individuals, associations — i.e., their data controllers — must notify the data-protection authority of the breach, with a description of the data that has been leaked or compromised, the potential impact, and the measures taken to remedy that and address the flaws and errors that were identified. In some circumstances, the data controller must also notify the individuals themselves about the breach.
This means that associations should take information security more and more seriously, discussing the issues openly with their IT providers —internal or external —and making sure that there is general alignment between the legal requirements and the way they are dealing with security.
› International data transfers
Last but not least, associations must ensure that the rules on the transfer of personal data outside the EEA — the EU plus Liechtenstein, Norway, and Iceland — are respected. Such transfers occur whenever a database is centralized in a third country (such as the United States, for example), or when personal data may be accessed from that third country.
Also, when associations appoint a service provider or a cloud-computing services provider, there is a possibility of the data being hosted or stored outside the EEA. That shouldn’t happen without the association being aware of it, basically because the GDPR states that such transfers are only allowed under specific circumstances or subject to specific conditions. These conditions may involve the fact that the third country is regarded as “safe” or providing an adequate level of protection, or the conclusion of specific agreements related to the data transfer, to ensure that the entity importing the data in the third country will abide by a minimum of fundamental principles of data protection.