The volunteer leader’s “job” is more complicated than ever. The last generation of leaders didn’t have to worry about cybersecurity or data privacy. But now, many chapters must comply with a host of new privacy regulations, like the European Union’s General Data Protection Regulation (GDPR), and new state laws, like the California Consumer Privacy Act (CCPA) that passed in June 2018. It’s only a matter of time before we start hearing about a new federal data privacy regulation.
With everything else on their plate, you can’t assume chapter leaders are aware of and understand these new regulations. Yes, your plate is plenty full too but chapters depend on you to keep them in the know and on the right side of the law.
In this series, we assume chapters are subsidiaries, a situation that brings more risk to National, but also supposedly provides more control. Even if your components are independent, you’ll benefit from the advice we share.
We discussed cybersecurity issues in our last post—the fourth in our series on chapters in crisis, now let’s get into data privacy.
Dealing with a chapter data privacy complaint
It’s always been common practice for some associations and chapters to give an attendee email list to an event sponsor for one-time use. However, in our lawsuit-happy society, you could imagine an event attendee one day filing a complaint about a chapter sharing his personal data without permission.
If only the chapter included a disclaimer or opt-in on the registration form about sharing information with event sponsors and/or exhibitors, you wouldn’t have this mess. Is there anything the chapter can do at this point to resolve the problem? What would make this person happy?
If all else fails, get your legal counsel involved so you can understand what’s required by law, where the chapter might have gone wrong, and what you can do to avoid further nastiness.
How to prevent a chapter privacy complaint
Data privacy is a complicated and ever-changing issue. For the best chance of success, talk with an attorney or consultant with experience in privacy regulation laws. In anticipation of new privacy regulations, many associations have taken the initiative to review and revamp their association and chapter data governance policies and practices.
One exercise that will help you get your hands around the data in your care or your chapter’s care is to map out the data lifecycle: how personal data enters the association or chapter and for what purpose, where it’s stored, with whom it’s shared, and when it’s deleted.
Many associations have developed new website privacy notices that state what visitor data they collect, why, and what they do with it.
Depending on the permission you receive from data owners (members, customers, and attendees), you may need to reconsider the sharing of data with third parties, such as sponsors, exhibitors, and other event partners.
Organizations with data subject to GDPR must figure out how to accommodate data subject rights. For example, members in the EU have the right to see their data, correct what’s wrong, and ask you to delete or return that data. Help chapters figure out what they need to do—and how to do it—if someone makes a request based on the rights granted to them by a data privacy regulation, such as the right to see their data.
Data privacy regulations have different requirements for notification in the case of a data breach. Make sure the chapter’s data breach plan and its people are capable of meeting those requirements.
Create a data privacy compliance checklist and other easy-to-read resources, such as tip sheets, for your chapter leader website. Make sure chapter leaders understand applicable privacy regulations, whether it’s GDPR and/or state laws. They must also understand what information is considered confidential and how to handle personal data, like credit card information.
Share sample policies and best practices for collecting and maintaining data, and sharing data with sponsors and exhibitors. For example, many people, maybe even some of your chapter leaders, believe it’s okay to add someone to a blast email list if the person gives you their business card. No, it’s not. You can’t add people to a distribution list without their permission unless you have an existing relationship, i.e., they’re a member, customer, or attendee.
As a component relations professional, you have to become a quasi-expert in many areas: financial management, nonprofit taxes and incorporation, cybersecurity, data governance, and the list goes on. Your chapter leaders need a basic understanding of these topics too. But you know what they say: teach what you need to learn. Encourage chapter leaders to share their knowledge and help each other develop the skills they need to stay out of trouble.
In our next “chapters in crisis” post, we turn to digital disasters.