GDPR Compliance in 2022: What Associations Need to Know

The ramp-up of the GDPR compliance in 2022 will present a very real threat for associations.

Prepare to see a brand-new set of GDPR regulations around consent as well as an uptick in enforcement. These big changes to GDPR add “teeth” to the real impact these protections have on associations in the U.S. and beyond.

Plus, the expansion of the European Union (EU) General Data Protection Regulation (GDPR) means that most associations are still liable for the compliance processes of all third-party vendors (e.g. AMS, LMS, newsletter, etc.) AND partners that may be handling any member data and user information collected by your organization.

Here, we’ll look at GDPR compliance in 2022, how new regulations raise the stakes for associations, and solutions to manage consent flow across your entire digital landscape.

Rundown of Major GDPR Changes

Because it’s “extraterritorial” in scope, the GDPR applies to associations, not-for-profits, and all kinds of organizations in the U.S. and around the world that collect, store, share, or process the personal data of its members and user base. 

Any professional association that merely offers their membership or products to an EU resident, or has an employee in the EU, is bound by the law. This makes up most associations today and organizations that open up their products and services to a global audience.

These organizations need to keep an ear to the ground regarding new GDPR rules, deadlines, and best practices around personal data handling including the concept of consent, transparency, profiling, recordkeeping, encryption, data breach notification, and individual control over how their data is used.

Ultimately, the goal of any new or upcoming changes to the dense and complex data privacy law is to give control of personal data back to the individual.

Beyond strengthening the existing policies involving personally identifiable information (PII) and consent enforcement, there are also brand new laws affecting organizations that share PII and proposals that impact any organization that uses AI marketing tools or analytics systems.

Tightening of Opt-in Consent

The current cookie architecture is in flux as we move to a cookie-less future. New GDPR consent updates are expected to clear up ambiguities around how regulations frame explicit opt-in consent and the intended purpose of data.

In order to truly prevent the unwanted collection and use of personal data, third-party cookies are on the chopping block in future GDPR legislation down the road.

By next year though, many experts say the GDPR will update consent compliance requirements for first-party cookie IDs and universal IDs, which are usually in the form of a hashed email or IP address.

Cookie IDs are considered personal data under GDPR. A cookie ID is a unique identifier that is set on a user's browser so sites can remember their preferences and settings. Currently, EU data privacy laws don't allow websites to store analytics cookies without explicit user consent that can be denied at any time to block the cookie script immediately.

A growing crackdown on consent violations is pushing regulators to flex their muscles in the year ahead. User consent needs to be an intentional and explicit choice based on informed information about why user data is being collected and its intended use.

Google and Amazon have been penalized for inadequate transparency in this regard by firing tracking pixels without explicit informed consent. Hefty fines can also be levied if you don’t make it easy for users to give and withdraw consent freely at any time.

Impact on Digital Strategy

Forward-thinking organizations view consent as the first touchpoint in the user journey and are taking a proactive approach to GDPR transparency and consent requirements on their website.

Public awareness of privacy rights over personal data has burgeoned. Forward-thinking organizations are increasingly incorporating privacy culture into their organizational narrative by putting compliance and user trust at the heart of their proactive privacy experiences online.

Instead of being on your heels, mindlessly reacting to changing regulatory responsibilities, you can begin to harmonize your marketing and brand positioning with your compliance practices.

Aiming for the highest bar of GDPR compliance will gain you the ​​competitive advantage you need in an increasingly demanding market and digital environment. For example, savvy organizations are setting up dedicated privacy rights infrastructure such as online channels for rights requests fulfilled by a real “face” of your team.

Crafting more proactive data privacy and consent management programs will allow you to be more genuine and upfront with your members and web visitors.

Telling them exactly how you’ll use their information to tailor content to their unique preferences promotes a win-win relationship – Your audience gets a more personalized, enjoyable, and impactful online experience, and in turn, your organization enjoys higher levels of engagement.

GDPR Compliance and AI

There’s new data protection legislation on the horizon mirroring and potentially interacting with GDPR requirements. Perhaps the biggest change is the proposed AI regulation as part of the European Commission’s Artificial Intelligence Act (AIA).

The drafted regulatory framework establishes a risk-based approach to the controls placed on (and investments funneling) the use of AI systems based on the intended purpose. It also seeks to balance data privacy and AI innovation.

Though the exact AI regulations are still being ironed out, your association should be prepared to comply if you’re using (or plan to start using) AI. Just think about the widespread impact GDPR continues to have on digital practices here in the U.S. and beyond.

Impact on GDPR

The proposed AI requirements for storing personal data conflict somewhat with the GDPR-compliant practice of deleting as much data as possible. Article 10(5) in the new legislation attempts to address this discrepancy in data governance.

“The providers of [high-risk AI] systems may process special categories of personal data referred to in [the GDPR], subject to appropriate safeguards for the fundamental rights and freedoms of natural persons, including technical limitations on the re-use and use of state-of-the-art security and privacy-preserving measures, such as pseudonymisation, or encryption where anonymisation may significantly affect the purpose pursued.”

Point is: these new protections—combined with other EU regulatory proposals like the Digital Governance Act (DGA), Digital Markets Act (DMA), and the Digital Services Act (DSA)—will force a fundamental shift in our data, digital services, and AI-related activities. Prepare for these changes rolling out at the end of 2022.

Impact on Associations

Today, there are various places where AI is embedded in the association space in order to serve up highly tailored content to members.

For example, many associations are using AI-powered personalization tools such as Optimizely's content intelligence functionality, Sitecore Experience Platform, and rasa.io’s email auto-personalization platform to tailor digital experiences and send curated messages.

Those are just a couple examples, but the solutions and adoption of AI by associations is expected to grow in the coming years in order to gather member insights, streamline operations, and drive member engagement and relationships automatically.

These new regulations will play a role in the growth and deployment of these AI solutions. Nothing earth-shattering though. Over time, it’s more likely than not that GDPR and AI development will coexist peacefully and synergize efforts towards creating a more personalized user experience through better data protection, security, and transparency.

However, China's new Personal Information Protection Law (PIPL) could be a game-changer for the safe deployment of AI. The PIPL, which went into effect on November 1, 2021, provides a much-needed risk-based compliance framework that is nonexistent in the GDPR.

New Data Sharing Contract Deadline in Late 2022 

The EU adopted more modern standard contractual clauses (SCCs) on June 4, 2021 that make it easier to protect, share, and receive PII between EU and U.S. organizations and other non-EU entities in a couple of clicks. These user-friendly tools reflect new GDPR developments in how personal data is secured and exchanged within protected guardrails in our interconnected digital world.

The deadline to fully transition old contracts to the new SCCs is Dec. 27, 2022. Older versions of the SCCs remain effective until this deadline.

If your organization has data transfers relying on old contracts, then you should get a transition plan in place now. The reinforced clauses contain an easy-to-implement template to meet these new data protections and maintain the flow of your data processes.

Old SCCs will no longer provide the safeguards needed under EU data privacy laws after December 27, 2022, so your organizations should revise your existing contractual structures asap.

What Happens if You Don't Comply with GDPR?

Compliance with GDPR is not optional. Violations can result in colossal penalties of up to 4% of global annual revenue depending on the severity and circumstances. And under the new AI regulatory agenda, the highest tier of penalties is even more drastic.

GDPR fines aren’t just handed down for flagrant violations such as when Facebook was slapped with a $5 billion fine for breaching data privacy and consent. Substantial fines can also be levied for not allowing users to easily and freely give and withdraw consent and not sending a data breach notification in the 72-hour window.

Beyond the increase in landmark fines and high-profile data breach scandals, smaller organizations have been caught in the regulatory crosshairs as well, incurring substantial costs and reputational damage. And because of the growing list of GDPR fines around the world, consent enforcement is projected to strengthen next year.

European Data Protection Supervisor Wojciech Wiewiórowski has proposed a GDPR enforcement review in June 2022 and believes this would also be a good time to discuss what data protection and e-privacy regulations may look like five to 10 years down the road.

You can find the EU’s official GDPR compliance checklist for U.S. organizations here and an all-encompassing compliance checklist for organizations around the world here.

Best Tools for GDPR Consent Management

There are many dozens of consent management platforms (CMPs) that help you capture and manage consented data and compliance messaging.

These CMP solutions essentially streamline GDPR-compliant data collection and clear consent management. They also support multi-standard compliance regulations for data privacy management.

We’ve identified some of the best CMP software in the marketplace based on our decades of experience as web developers and a compilation of unbiased reviews, reports, and ratings of user satisfaction.

Here are our top picks:

One Trust

OneTrust - flexible CMP that helps organizations comply with GDPR regulations and avoid legal fines. This flexible cookie consent software is trusted by 7,500+ organizations, including half of the Fortune 500, that use the platform to:

• Brand personalized cookie banners based on user location and advanced geotargeting so you’re geo-aware rather than showing inapplicable GDPR notices.
• Maximize cookie opt-ins using A/B testing and other consent rate optimization practices.
• Detect compliance violations and block hidden cookies and tracking pixels.
• Build integrated and GDPR compliant programs across all of your software systems.
• Make trust a competitive advantage through transparent and powerful data privacy, security, and data governance.

OneTrust offers transparent pricing as well as a “best price guarantee,” meaning the company will beat any competitor pricing.

Cookie Script

Cookie Script - a simple, easy-to-use CMP that ticks all the boxes for website GDPR compliance. The relatively uncomplicated and inexpensive platform allows you to:

• Make your site GDPR compliant without requiring any coding or programming skills.
• Easily install, configure, and tailor cookie consent to the needs of your organization.
• Give web visitors the ability to withdraw cookie consent at any time on any page.
• Automatically scan, categorize, and add predefined descriptions to all cookies found on your website to ensure GDPR compliance is always up-to-date.
• Easily create cookie policies for different projects requiring GPPR settings by showing you examples and templates.

Cookie Script is available for free on websites requiring a simple cookie consent banner. Otherwise, the price depends on the features and functionality provided.

Secure Privacy

Secure Privacy is a relatively newer CMP that helps websites comply with GDPR and other regulatory requirements. The intuitive, yet powerful cookie consent solution has an easy-to-use interface and can be set up in a matter of minutes to:

• Automate customizable cookie consent banners and widgets, visitor preferences, privacy policy, and cookie declaration management to keep your website up-to-date with international data privacy laws.
• Continuously scan your website for data collection/tracking technology and record the user consents you collect automatically.
• Add stylish, customizable cookie banners to maximize consent rates.
• Integrate easily with the other software and applications your association uses.

Secure Privacy allows you to get started with a free trial and then choose an appropriate plan for the size and GDPR requirements of your organization.

Quantcast Choice

Quantcast Choice is a free, full-featured solution for GDPR headaches and consent management, with no strings attached, that allows you to:

• Easily set up, implement, and use with helpful tooltips explaining each feature.
• Add to each of your sites and manage consent preferences in a single place.
• Record consent ratio and basic visitor stats.

Most “free” CMPs only provide a restricted, bare-bones service with extra features locked behind a paywall. However, Quantcast Choice is truly a free CMP that offers all the basic functionalities to meet GDPR requirements as well as a simple interface and live support.

One potential downside is that you cannot customize the cookie consent language or add additional messaging alongside what’s provided. The legal text is set in stone.

The Rise of Privacy-First Personalization

There are about two billion websites, with 380 new ones popping up online each minute. In order to stand out in the Wild West of the World Wide Web, personalization is key.

In fact, Statista reports that 90% of Americans prefer personalization, and a global study by Deloitte and SSI found that 79% of people are willing to share their personal information if there is a clear benefit in return.

How then can your association balance GDPR compliance with the desire to collect every piece of information to push personalization? Enter the shift to zero-party data (ZPD) and Privacy-First Personalization.

As described by Forrester Research, “zero-party data provides explicit interest and preferences — and you must use it to improve the value you provide to consumers.”

Essentially, ZPD is about allowing users to intentionally and proactively share their personal information in exchange for a more personalized and enjoyable experience.

With changing attitudes, the transition to a cookie-less internet, and new privacy regulations popping up regularly, ZPD is now at the heart of the shift towards “Privacy-First Personalization.”

Privacy-First Personalization is all about building trust and transparency with your online audience in order to future-proof your approach to marketing, personalization, and long-term sustainability.

Here are a few ways you can embrace a strong, future-forward privacy culture through ZPD and Privacy-First Personalization:

1. Unify all ZPD you collect from users across your digital ecosystem to develop an integrated, information-rich profile of each and every one of your members and users.
2. Give users transparency and control over their personal data and user profiles.
3. Develop a dedicated privacy channel where users can submit new data requests.
4. Use data to personalize the products, content, and offers you display on your website and across all digital channels.

Netflix is a perfect example of the cyclical relationship between users providing consenting to use their personal data and, in turn, receiving added value and a richer experience.

Netflix's Privacy Statement describes upfront exactly how it uses the data it collects to "customize, personalize and optimize" its service. The result? An improved opt-in rate and a better relationship between the end user and service provider.

Wrap Up: Preparing for Changes in GDPR Compliance

​​It’s important for your association to understand AND track proposed regulatory developments as they’ll have a tangible impact on how we engage users online and deploy digital technology.

Public awareness of user consent and data privacy rights are at an all-time high today. GDPR compliance in 2022 is no longer about doing the bare minimum and going through the motions to avoid penalties.

It’s now about building trust, transparency, and mutually beneficial digital practices for your audience online and your organization.