GDPR will impact Trade Associations and their Members - make sure you're ready for the new regulations!

What GDPR means to you

What are the specific challenges to your sector?

How we can help

Achieve Compliance with the GDPR123 Framework

Want more information?

Contact us to discuss your specific business requirements

Specialised GDPR services for Trade Associations


The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and introduces additional compliance requirements for all organisations, including membership bodies and trade associations who may have some additional considerations depending upon the type of data they collect and process.

Membership organisations will typically hold personal data in respect to each of their members including everything from basic contact information through to records of event attendance, receipt of publications, and payment/financial information. They may also hold “special category” data on their members (for example trade-union membership details, religious beliefs or health related information) which will need special consideration as the new rules regarding the collection, use and retention of this personal data represents a major change for many trade associations. Clarification of what is Personal Information and what is Sensitive or Special Personal Information can be found in our “What is GDPR” blog.

Processes should be put in place to manage the personal data held on members to ensure it is only used for the purposes for which consent has been obtained. Data on members can no longer be used for activities such as marketing, unless the organisation has specific consent for this. There should be a system in place to record and evidence the consent of members. When a member joins an organisation, they should be asked for their consent to sign up to email marketing and be told clearly what that will entail – for example renewals, events, discounts and offers.

Trade Associations and Membership Organisations would be wise to consider segmenting their membership data and communications as part of a risk-based approach to compliance. This is a simpler task than it is for other types of organisations as several communication types are likely to avoid the need for “consent” as the lawful basis for processing the data. Instead the legal basis could be pinned on either fulfilling the membership contract, or the legitimate interests of the organisation e.g. AGM updates/Professional Training/Latest Industry news – all of which are subjects that a member of an organisation would reasonably expect communications about.



For some membership bodies it may be mandatory to appoint a Data Protection Officer (DPO). This is particularly relevant for those organisations where their main activities involve processing large volumes of personal data and is also mandatory for organisations with over 250 employees. Even if not mandated, employing a DPO would be beneficial for many reasons including; modifying privacy policies on websites and contact forms, updating contracts, providing ongoing awareness training, advising on the means by which lawful basis for processing can be obtained, reporting breaches to the ICO, and liaising with partners, suppliers and members with regards to data protection.

Similarly, although it may not necessarily be a requirement to register with the Information Commissioner’s Office (ICO) going forward, certain membership organisations employing more than 250 people, or those processing “special category” data, or those where data processing activities are likely to result in high risk to individuals, will need to maintain detailed documentation about their data processing activities and make these available to the ICO on request.



For any membership organisation or trade association the GDPR presents an opportunity to reach out to the membership and present clearly and accountably the ways and means by which you intend to securely manage how their data is stored and used. For organisations where a membership of an individual or business is their life blood, retaining existing members and attracting new ones are critical. Having good governance in place, and the ability to communicate and evidence this can therefore only be a benefit.



Book your 15 minute consultation and speak to one of our experts who can evaluate your needs, and answer any queries you may have regarding the GDPR.

15 Minute Consultation Form

15 + 6 =

How we can help


GDPR123 are compliance experts who can guide you through the process of becoming GDPR compliant so that you can build client confidence, help you satisfy due diligence investigations as well as avoid fines and remedial actions imposed by the Information Commissioners Office (ICO).

  • Stage 1 Audit / Gap Analysis
    Your organization will be measured against the GDPR which will result in a Non-conformity report.  This is a clear set of instructions that explain what you need to do to become compliant.
  • Prepare a Legal Register and Documents
    Review/supply policies, procedures and plans.
  • Prepare a Due Diligence Pack
    Quickly turn around and satisfy Due Diligence enquiries.
  • Cyber Insurance Review
    Ensure that you have the appropriate level of cover.
  • Review Web Operations
    This includes Web-based forms to ensure they obtain appropriate and affirmed consent as well as ensuring they are unambiguous.
  • Training and Awareness
    With 8 in 10 data breaches resulting from Human Error, the GDPR requires organisations to implement appropriate organisational measures to ensure the safeguarding of PII (Personally Identifiable Information). This includes appropriate levels of awareness training.
  • Dealing with Brexit
    We understand the implications of Brexit and will advise you accordingly as the various stages of Brexit are implemented.
  • 72 Hour Breach Notifications
    It is important to have an appropriate and tested plan in place for data breaches.  Failure to have this in place can attract a penalty of between 2% of your global turnover or 10,000,000 Euro, or 4% of your global turnover or 20,000,000 Euro. The fines are calculated to whichever is the greater and are purposely designed to be dissuasive.
  • Handle SARs (Subject Access Requests and Rights Requests)
    GDPR gives Data Subjects human rights in terms of their Data and with this comes their right to request the Data Controller or Data Processor to undertake certain actions.  Failure to respond to a request in time is a breach if their rights and is taken very seriously so you need to be prepared.
  • Determine and Appoint/Act as a DPO Data Processing Officer
    In some cases a DPO needs to be appointed.  We will help you determine if you need a DPO or make a recommendation if it would be advisable.



Search All Sectors


Other Sectors


Financial Services
Trade Associations
Marketing / Telesales
Charities / Non-Profit
Child Services / Education
Retail / E-commerce