Privacy Protection – no protection, no business
A large well known US based international membership association faced the danger of being cut off from reaching significant parts of a European member base after the General Data Protection Regulation (GDPR) becomes effective on May 25th, 2018. The board of directors were aware the confusion arisen from the member base and decided to assess and address the situation.
As a result, the association can continue to access the data from the European members and the integrity of the membership organization was saved. The reputation of caring about member privacy was kept.
Every organization doing business in Europe is impacted by GDPR that grants certain rights to data subjects, customers or members and also demand that any organization that collects and processes European private information must follow strict rules. The association collects member information for dues processing and communication. European data is collected and transferred to the United States headquarters for processing. Back office processing and member communications are run from headquarters.
It was quickly determined:
- The association wanted to access member information and communicate to them directly. However, only GDPR compliant organizations can lawfully collect and process European data.
- The association had been struggling with increasing membership. Most attention and resources were allocated to membership development in the emerging market of Asia. Very few people in the United States truly understood the new regulation. Warnings about the pending regulation from the European base were neglected.
A cross functional team was assembled to develop some options and understand their respective impact. The keys to solve the problem was to help the business decision makers to understand the true impact of the new GDPR regulations, and develop some cost effective options.
Several sessions with business leaders were scheduled to determine the business objective of collecting the data, and the impact it would have if they can no longer do so. An industry expert with extensive knowledge on the matter was brought in to explain legal and financial consequences of non-compliance. Three options were offered for addressing the GDPR challenge:
- Doing nothing will not work because the fine imposed for non-compliant could potentially wipe out a big chunk of the annual revenue.
- Establishing a processing center where all European data would be processed and kept in Europe. This option required signification investment in establishing such a processing center and it would not allow the United States based headquarters to directly access the member data either.
- Implementing a GDPR compliance program to make the association compliant. This option would allow the headquarters to continue accessing the European members directly. It will also ready the organization to handle similar challenges from members in other parts of the world who are considering adopting the similar regulation.
A team was formed to implement the GDPR compliance program. As a result, the association was able to continue accessing the European member base, the integrity of the membership organization was saved, and the reputation of caring about member privacy was kept.