An Association and Societies’ Guide to GDPR Compliance

GDPR compliance

GDPR Compliance—what is it and how does it affect you?

The acronym stands for the General Data Protection Regulation (GDPR), which was passed by the European Union in 2017, and which comes into effect this year. It covers businesses, but it also applies to associations and societies—anything that regularly handles members’ personal data.

GDPR might look like a headache from the outset, but the chances are you’re already doing some of what it sets out. Read through our guide to look at how it will impact on the way your association or society handles its data.

GDPR—the Benefits

The aim of the regulation is to harmonise data regulations among EU member states, offering better protection to businesses, associations and organisations from data breaches. Improved data management and security as a result ultimately benefits your members.

Download our free association and society's guide to GDPR Risks and Mitigation here!

The Requirements

The regulation kicks in from the 25th May this year (2018). From then on, associations and societies must have robust processes and policies in place to manage their members’ personal data. If your organisation doesn’t follow the regulations, you could face substantial fines—four percent of your previous year’s revenue, for example, or up to €20 million.

Associations or societies must make sure the personal data they hold on members is:

  • Secure
  • Limited to what is needed
  • Accurate, up to date and can be amended easily if incorrect
  • Can be seen by its owner if requested
  • Not shared with third parties unnecessarily
  • Only viewed by those who need to access it
  • Only kept for as long as it’s needed and deleted or destroyed after a period.

From 25th May, the association or society agrees that the data protection legislation applies to its association or society. In addition, it agrees:

  • All officials, staff and members know how to handle personal data correctly
  • Failure to comply with the legislation can mean substantial fines as well as reputational damage
  • If a breach occurs, you must notify your nation’s data authorities within 72 hours. For UK residents, this is the Information Commissioner’s Office (ICO).
  • If personal data is lost or stolen, there is a process to follow
  • If the association or society makes changes that affect personal data use, these are communicated
  • Its members understand that broadcast emails can be a security risk
  • Officials have allowed their names and contact details to be made publicly available
  • Personal data is only used for the official association or society purposes
  • The association or society’s website tells people how their data will be used
  • If your association or society fails to follow these regulations, you could be subjected to GDPR fines greater than €20 million or four percent of the previous year’s revenue.

Reputation and Your Potential Members

The GDPR has received a lot of publicity—as have contemporary issues with data protection and how organisations use our data. Potential members will scrutinise your association or society’s data governance policies and practices more closely. An organisation that has the proper, up-to-date data governance processes in place and has achieved GDPR compliance will benefit by keeping its members’ trust.


What about Brexit, you might ask? Will this get us off the hook? Not so. The legal separation of the UK from the EU doesn’t take place until 2019. Until that time, the regulations apply to UK associations and societies.

The data regulation rules are good practice in general. And it would be a mistake for UK associations and societies to avoid tightening their data protection processes just because they might not apply in the future – don’t make this mistake.

Boosting Your Association and Society’s Data Protection

The GDPR regulations represent a huge change with many complex requirements. Deal with everything early enough to give yourself time to research the new statutes and adapt your policies to the changes needed.

  1. Assess and document your current data and data requirements: Where does your association or society collect personal data? Check the points—what type of data is collected and from whom: vendors, members or officials? Document all your data processing, including the legal basis for using such data. Don’t forget: you’ll need to check if you have any inaccurate or out-of-date data you’ve shared with other organisations.
  2. Review your policies and procedures: Check your data protection policies, including privacy notices, and the language in documents to make sure they are compliant with GDPR regulations, if not even stricter. Review your contracts to ensure they include data processing requirements compliant with the new rules.
  3. Assess international contacts if you have them: If your association or society deals with data flows out with the UK, you’ll need to examine the protections you have for international data transfers.
  4. Assess your policies relating to children’s data: If your association or society works with children, you need to scrutinise your current policies to make sure they meet the GDPR’s exacting standards, designed to protect the data of the most vulnerable. Under the GDPR’s rules, a parent or guardian’s consent is needed to record and process children’s data. Other rules are in place too. Check the new policies to ensure that your association or society prioritises children’s data protection.
  5. Designate, inform, train: A member of your committee needs to take on the role of GDPR expert. That person’s job is to inform and train everyone within the association or society on how to manage data so that GDPR compliance runs from top to bottom.
  6. Review your consent policies and procedures: How do you currently obtain consent from your members and others? And how is that documented? If such procedures and policies aren’t at least as stringent as the GDPR’s, they must be amended.
  7. Review data breach procedures: Because associations and societies will need to notify the ICO within 72 hours of a data breach, you must make sure your procedures are organised. How do you detect, report and investigate data breaches? All these processes will be checked to ensure your organisation is compliant.

GDPR Compliance —the Checklist

Associations and societies that don’t comply with GDPR risk huge fines and reputational damage, which can result in loss of members. Read our checklist to make sure you’re able to achieve GDPR compliance:

  • Access—can members keep their information up-to-date easily?
  • Are any paper forms always stored securely?
  • Do you have a policy to notify members if there is a data breach?
  • Does your organisation remove all personal data when members leave?
  • When people register for your association or society, do you make them aware of your privacy policy?
  • Legacy data—do you know where all your information is? An example might relate to past officials who were part of your association or society.
  • Do you know how long you can keep your members’ information?
  • Is the members’ information encrypted?
  • Is the members’ information backed up?
  • Do you know with whom the information you hold is shared?
  • Do you send personal information by email?
  • When sending group emails out, do you always use bcc (i.e. blind copying so that recipients can’t see others’ contact details)?

PaySubsOnline—We Can Help Your Association or Society with with GDPR compliance

A reliable online admin system has many benefits, especially when it comes to data protection and GDPR. The system keeps all the information about your members in one secure place. At any one time, you know where your data is and who has can access it.

Here’s an example of this in practice. When you use PaySubsOnline and a member leaves, you’ll know their data isn’t sitting on multiple spreadsheets on different computers, or a past official’s sent email folder. All you need to do is delete the record and information relating to that member (including any personal data sent in emails) and you comply with the GDPR’s Storage Limitation requirement.

That’s just one example of how PaySubsOnline can help your association or society.

Below, you can download a list of common administration tasks that fall foul of the following six guiding principles of GDPR compliance:

  • Accuracy
  • Confidentiality and Integrity
  • Data Minimisation
  • Lawfulness, Fairness and Transparency
  • Purpose Limitation
  • Storage Limitation

Not all these tasks will apply to your association or society, but it’s likely that many of them will. We’ve put together a free document to help you identify problem areas and how PaySubsOnline can help your organisation achieve GDPR compliance.

Your free copy can be downloaded here.

Download our free association and society's guide to GDPR Risks and Mitigation here!

Please note: I reserve the right to delete comments that are offensive or off-topic.

Leave a Reply

Your email address will not be published. Required fields are marked *