“The General Data Protection Regulation for associations: the challenge of compliance”


Report of the Association Leadership Academy session on “The General Data Protection Regulation for associations: the challenge of compliance”, led by Mayer Brown.

Under the aegis of the Association Leadership Academy, and in cooperation with the European Society of Association Executives (ESAE), Mayer Brown hosted a well-attended briefing for associations on the General Data Protection Regulation and the challenge of compliance.

Over 140 association leaders were present to listen to Charles Albert Helleputte and Diletta de Cicco share their expert knowledge on this important topic.    After a warm welcome from Jens Peter Schmidt, the Mayer Brown Partner in charge of the Brussels office and a brief introduction from both Rachel Barlow of the Association Leadership Academy and Florence Bindelle of ESAE, the lawyers took a very practical approach to their task setting out 7 key steps to ensure readiness for GDPR.

We are most grateful to Diletta for her summary of the session set out below.

GDPR is coming in 108 days: are you ready?

The new European General Data Protection Regulation (GDPR) will come into force throughout the European Union on 25 May 2018. The GDPR will replace existing data protection laws and introduces significant changes and additional requirements that have a wide ranging impact worldwide on the way organizations are relying on data.

The key changes and additional requirements introduced by the GDPR include: tougher sanctions for non-compliance, keeping records of data processing activities, a new data breach notification obligation, providing information notices to data subjects, higher standards for consent, appointment of a data protection officer, strengthening of individuals’ rights to personal data, enhanced requirements for the supply chain, etc.

EU associations that collect and process personal data from their employees and staff, their members, individuals attending their conferences and their events, etc.,  should assess the impact of the GDPR on their activities and define their approach to compliance.

Preparing for GDPR compliance can be best achieved by taking the following 7 key steps:

  1. Inform your leadership, formulate a plan.
    Senior management should be made aware of the changes to data protection laws and how it will affect your activities.
  2. Map your personal data.
    A detailed investigation should be conducted into, and a record created, of the personal data your organisation is collecting, the purposes for which it is being processed, how it was obtained and the parties that it is being shared with.
  3. Appoint a data protection officer.
    A decision should be made as to whether it is required under the GDPR or otherwise desirable for your organisation to appoint a data protection officer who will be responsible for the implementation of the requirements of the GDPR and monitoring compliance with it.
  4. Review the grounds under which personal data is being processed.
    How and the basis under which personal data is being collected and processed should be reviewed to determine if any changes need to be made for this to continue under the GDPR, particularly where ‘con­sent’ and ‘legitimate interests’ are being relied upon to process personal data.
  5. Draft or update information privacy notices.
    The new Regulation requires organisations to be transparent and inform data subjects on how their personal data is processed. Privacy notices should be drafted or updated in order to include all the mandatory information required by the GDPR.
  6. Update your data governance policies and procedures.
     Policies, procedures and other governance controls within your organisation should be updated to detail how your organisation will practically comply with the new requirements under the GDPR. Employees should receive training on and should be regularly updated about this.
  7. Review your contracts with third parties and assess your international transfers.
    The contracts with the service providers and other parties that your organisation shares personal data with should be reviewed and, where necessary, renegotiated to ensure that your organisation is appropriately supervising the manner in which they process personal data. When service providers are located outside the EEA, you should identify a legal mechanism for carrying out these transfers to comply with the European data protection requirements.


The powerpoint from the session can be found here.

“Keep Calm and Ensure GDPR compliance!”

Dr Rachel Barlow

Brussels, 9th February 2018

About the Speakers

Charles-Albert Helleputte is a partner in the Brussels office of Mayer Brown. His practice focuses on transactional matters, with a strong focus on data privacy.

In the data privacy field, Charles is active in a number of sectors (hospitality, financial sector, travel platforms, aviation, infrastructure, etc.) and a range of practices (counselling on regulatory developments, data privacy aspects of employees’ monitoring and investigations, data collection and exchanges in the context of export control). He is regularly in contact with DPAs around Europe and has presented clients in front of the WP29.

He focuses on the development of data privacy laws in the EU in general, with specific attention to e-Privacy, data security and IoT. He regularly publishes articles on those matters. Charles is an active member of the AmCham EU Digital Economy Committee.

Diletta De Cicco is a legal consultant in the Brussels Office of Mayer Brown. Her practice focuses on privacy, data protection and cybersecurity.

Diletta wrote her LLM thesis on the adoption of the EU General Data Protection Regulation and its twofold impact on organisations and data subjects. She has recently passed the Data Protection Officer Certification exam offered by the University of Maastricht.

Diletta advises clients regarding a wide range of global data privacy and security issues. She assists organisations in complying with EU and national privacy laws, including developing global data transfers mechanisms, privacy statements, data breach notifications, privacy policies and procedures.

Diletta regularly publishes articles on those matters. She is an active member of the AmCham EU Digital Economy Committee.

Previous Association Leadership Academy sessions

emojiis on escalator

To communicate or not to communicate

The speakers sat down to face a tightly packed Press Club. Natalia Kurop as moderator set the context of the session by providing three key themes to be addressed by the speakers, and in the audience Q&A session: To communicate or not to communicate?
The role of communications and media relations in EU association advocacy. Feeling the fear and doing it anyway
Why is media relations important to advocacy? Working in the Twitter world Policy in 140 characters or less.

Woman in box

Do’s and Don’ts of working with self-employed contractors

This Association Leadership Academy session was hosted by Sophie Maes in the spacious Claeys & Engels theatre meeting room. Sophie presented on the potential for and means of legally complying with a self-employed status for both a Finance Director and a Secretary General as examples.


Influence and Media Messaging for associations

Sticky messages, led by Laura Shields, hosted by KPMG. Laura led an interactive workshop on developing media messages that “stick” for associations. A notoriously difficult task not least due to the need to build consensus within an association and the ensuing dilution of the key message.

red pole

Business Associations and their Corporate Members: how to harvest mutual strengths

The Association Leadership Academy held a lunch time session on ‘Business Associations and their Corporate Members: how to harness mutual strengths’, led by Brunswick.This session focused on gaining a better understanding of corporate priorities and how these could be integrated into an association’s strategic planning.

Would you like to advance your career or appoint someone?