If you work within a membership association and have not yet read up on the GDPR, then it’s best to start with our introduction to the GDPR article “How will the GDPR affect membership organisations in the UK & beyond?” It covers what you need to comply with and the GDPR in general.
Your organisation will need to be GDPR ready by the 25th of May, 2018. After this date, an organisation can be penalised if they are shown not to comply with regulations. The ICO have produced a handy 12 step guide to get you started.
Individual and organisation responsibilities
While it is unlikely that a membership organisation qualifies for needing a data protection officer, the ICO has the following to say about responsibilities:
“You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. It is most important that someone in your organisation, or an external data protection advisor, takes proper responsibility for your data protection compliance and has the knowledge, support and authority to carry out their role effectively.”
ICO, Preparing for the General Data Protection Regulation
It is advised that a director should be decided upon to be accountable for GDPR compliance and that all staff that handle or collect data know the organisation’s processes for doing so, once processes have been agreed.
What penalties and fines could we face?
After the deadline date, if you still don’t comply then penalties could be put upon your organisation. According to the GDPR regulation the following sanctions can be imposed by the ICO:
- Warning: A warning in writing in cases of first and non-intentional non-compliance
- Audits: Regular periodic data protection audits to be done
- Cease: Suspension of data collection/processing or deletion of data
- Lower-level fine: A fine of up to €10,000,000 or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater for organisation infringements
- Upper-level fine: A fine of up to €20,000,000 or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater depending on severity, for individual rights infringement
The full list of fines and their circumstances are available in the regulation text, Article 83 paragraphs 4 and 5.
It is also possible for individuals or organisations to take legal action for damages based on GDPR misconduct. This could lead to class-action type claims in the future.
How much to fine?
The following is taken into account to decide the nature of the action or fine:
- General: The nature and severity of the infringement, including the numbers affected and damage to those individuals
- Intent: Whether the infringement was intentional or negligent
- Mitigation: Whether action was taken by controllers or processors to mitigate damage
- Understanding: How much the controller or processor has taken into account the technical and organisational measures of the GDPR
- History: Previous infringements
- Cooperation: Of the controller or processor with the ICO
- Data: Type(s) of personal data under scrutiny
- Detection: How the issue was discovered, particularly if the infringement was brought up by the processor or controller
- Profit: Financial gains from the infringement
Thoughts for membership associations
The main takeaway for your association is to make the appropriate steps to ensure you comply before (and beyond) the deadline date and to foster an understanding of what to do about GDPR amongst the staff that deal with data. If you are already making an effort towards GDPR compliance then that’s great news for your membership organisation.
And of course if you wish to chat about redeveloping your organisation’s website to make membership tasks much more GDPR friendly and less hassle for your membership team, then simply get in touch to discuss your options.
We’re producing a series of informative articles about the GDPR and how it will affect membership organisations, so keep an eye out on our news section, LinkedIn, Facebook and Twitter. Also consider checking out the ICO’s steps for preparing for the GDPR.
Want to receive monthly articles and updates containing advice and inspiration for the membership, nonprofit and charity community? Why not subscribe to Senior's mailing list?