Is Your Legacy System GDPR Compliant?

Have you heard about the new piece of European data regulation that will become law from 25th May next year?

The General Data Protection Regulation (or GDPR for short) and was adopted on 27th April 2016. It will replace the current Data Protection Directive and is designed to strengthen data protection for EU citizens.

GDPR becomes law on 25th May 2018

Whilst the core objective of this new regulation remains similar to what’s currently in place, membership associations must take notice. That’s because as a result of consumers gaining more rights, businesses will face tighter obligations.

And with heavy penalties for those who fail to comply, it’s important you make the time to ensure you’re ready.

So to help, I’ve put together this article in the form of a Q&A.

It contains an overview of what you need to know about the GDPR along with some simple steps you can take to ensure your association is ready for 25th May 2018.

1. What’s the purpose of the GDPR?

In a nutshell, the GDPR is designed to strengthen consumer’s data protection rights whilst making data security law uniform across the EU. That’s because this key piece regulation covers how personal data is captured, controlled, and ultimately used.

You could argue this change has been coming…

As you know, it’s become easier and easier for companies to capture data for marketing and other business activities. This has created huge opportunities for businesses in terms of sales, market research, and relationship building (to name just a few).

The business benefit is clear. High quality consumer data is a key asset for any business.

But as data collection has become more commonplace, consumers have become more sceptical about why their data is needed, how their data is used, who owns it, and who gets access to it.

Add in cyber security and the threat of data being stolen when systems are hacked, and consumers are right to be concerned about the safety of their personal information.

Hence these new regulations…

That said, there are some business benefits too.

With the introduction of this uniform EU law, member states will no longer be required to write their own data protection legislation. As a result, this new regulation could help simplify cross-border trade, making it useful if your members are located across the EU.

2. What is classed as personal data?

You may be surprised at the broadness of this term.

That’s because ‘personal data’ covers everything that can be used to identify a person including their IP address, an email, a photo, bank details, social networking posts etc.

As a membership association, you will hold a significant amount of personal data. From bank details, to payment information, and contact demographics, personal data is at the heart of your day-to-day business activity.

3. How does the GDPR differ from existing regulations?

Whilst data protection remains at the core, here are four significant differences.

4. Does the GDPR apply to you?

All companies that sell to the EU must adhere to this regulation – regardless of the geographical location where the business is located. So if you collect data from EU nationals, this new piece of regulation is relevant – even post Brexit.

That said if your business operates solely within the UK, this position could change when we leave the EU. However, it’s likely you will still be required to review your systems because the UK government has suggested it will implement something similar or equivalent in the future. (Source. 

5. What are the consequences of not adhering to the new guidelines?

Non-compliance is NOT an option! That’s because companies that fail to meet these new obligations could face penalties and steep fines.

The fine system is tiered, but the most serious infringements (such as insufficient customer consent), could lead to huge fines.

6. What do we need to do as a company to become GDPR compliant?

Firstly, it’s important to start now.

Sure, there’s still a little under a year to prepare, but you know how quickly time flies! With the threat of big fines, you don’t want to get caught out with systems and processes that don’t comply with the new regulations.

That’s the biggest issue here…

Theoretically you can wrap your head around your new obligations quite quickly. What’s going to be more challenging is ensuring you have the required systems and procedures in place – all trialled and tested for that May 2018 deadline. And if your existing system is not GDPR compliant, you’re going to need time to migrate to a system that is.

To Do List

To help you prepare, here’s a list of actions to consider to get the ball moving:

As you can see, there may be a lot to do. So if you run a membership organisation and your legacy system isn’t GDPR compliant, let’s have a chat, before it’s too late.

Interested in learning more?  Contact me at and I can put you in contact with the right people.