Skip links

5 things to know about GDPR: Risks and opportunities for clubs

Privacy regulations in the European Union (EU) have long been considered some of the world’s toughest, and those laws are now becoming more stringent—even for U.S. organizations and even for private clubs.

The EU’s General Data Protection Regulation (GDPR), adopted in April 2016, requires all organizations that hold, transmit or process EU resident data to comply with the law—regardless of whether they actually operate in the EU. Failure to comply can result in significant financial penalties: up to 4 percent of global revenue or 20 million euro, whichever is greater.

Enforcement is scheduled to start on May 25, 2018. What do private clubs in the U.S. need to do now? Here are five key considerations.

  1. GDPR may apply even if your club does not have operations in the EU

GDPR casts a wide net. Companies, government agencies and nonprofit entities that interact with EU residents are all subject to this new law. Many organizations underestimate the amount of EU data they hold and, therefore, may not understand the legislation’s potential effect. For example, banks, hospitals, hotels and other organizations that hold data from EU residents are subject to the GDPR. Recent advances in digital communication mean that consumer data can be collected from around the world and stored within seconds in a variety of ways, including in websites, email systems, collaboration platforms, mobile platforms and business applications. It is also important to note that the definition of personal data under the GDPR is much broader than in any U.S. regulation and extends, for example, to information such as geolocation data, browser cookies, biometric data or anything else that could be used to identify an individual. To determine if GDPR affects your organization, you need to ask questions such as:

  • Do you offer goods and services to EU residents?
  • Do you rely on third parties that store or transmit data to or from the EU?
  • Do you collect, transmit or process data pertaining to EU residents?

Keep in mind, it doesn’t matter if the services are free. It also doesn’t matter whether your organization operates in the EU.    

  1. Timing for compliance is sooner than you think

While enforcement isn’t set to begin until May 2018, GDPR is already the law of the land in the 28 EU countries. Enforcement agencies have started visiting EU companies to assess compliance and they are expected to do the same in the United States.. That doesn’t leave much time for organizations to identify what EU data they may hold and how to protect it. For private clubs and other organizations in the middle market, timing is especially important. Enforcement actions are expected to be taken against middle market companies first, to make examples of them and set precedent for pursuing actions against larger companies. U.S. companies should be especially alert, as EU regulators look to set the tone for what’s expected from them under GDPR, given a historically different—and looser—approach to data privacy between the United States and the EU.

  1. Customers and employees can trigger enforcement action

Under GDPR, individuals can request that companies provide all data they maintain about them, and extensive, detailed information about how such data is protected. This includes how each customer’s consent is secured and tracked on an ongoing basis; the specific purpose for holding this data; and the nature and extent of protections surrounding that data, including any third parties that might be involved. Consumers can also request that all such data be provided to them in an electronic format suitable for porting to a competitor, or that all their data be completely erased from all systems the company uses, including, again, those from any third parties. Failure to provide timely and complete responses to consumer requests opens companies to formal complaints by consumers to the relevant GDPR supervisory authorities. This, in turn, can trigger the significant penalties mentioned above.

For the private club industry, the scope of GDPR couldn’t be greater as it touches processes and systems within human resources, operations, governance and planning. Since GDPR enshrines an EU resident’s right to access, removal and transport of their data, club leaders should plan out how they intend to accommodate EU members and their ability to make these requests under the law. Impacts to temporary labor processes should be considered as well. For example, as seasonal workers are hired for the busy spring, summer and fall seasons, any private data sent from the EU by applicants would also fall into the scope of GDPR. Similarly, club leaders should consider the logistical implications of being able to give effect to these rights to EU residents, and what changes may need to be implemented, across their processes or technologies.

  1. Start mapping and analyzing your customer data now

U.S. organizations should begin identifying or mapping EU customer and employee data immediately. It is not uncommon for EU data to reside in different departments, divisions or subsidiaries. This data will need to be protected and even segregated from other customer data, much in same way that U.S. organizations now protect and segregate credit card data through network segmentation standards under the Payment Card Industry Data Security Standard. Staff modifications may be necessary—for example, larger organizations may need to appoint a data privacy officer under GDPR.

While the task of data mapping and analysis may seem simple at first, it can actually be much more daunting to capture where personal data is stored across the environment, especially in organizations that rely on bring your own device (BYOD) or cloud storage solutions. Club leaders should document what personal data they hold of EU residents, how it was provided, and who they share it with (especially if that information is ever sent abroad). Guest, member and employee data would be good starting points for inventory; however it is also important to consider any financial processes as customer billing systems or marketing systems may have some of the same types of personal information. GDPR includes implications for providing notice to EU residents of what processing activities are taking place with their data, but also implications for breaches. Organizations must ensure they have the ability to promptly identify, detect and report any breaches of EU resident data which makes the data map such a crucial process.

  1. Leverage GDPR compliance as a business differentiator

GDPR represents a broader trend for privacy compliance on a global level. U.S. organizations will greatly benefit from assessing and aligning their privacy policies and procedures with this emerging global movement. By doing so, they will not only be able to comply with the requirements of GDPR, but will also be prepared to address additional new privacy laws that may arise from other regions and countries. For any legacy systems, processes or inventories of member or employee data, GDPR represents an opportunity to audit current holdings to identify whether any previously collected information is still needed. Modernizing procurement procedures to demonstrate privacy by design and updating data governance can also ensure accountability and provide oversight to areas possibly previously neglected within IT. Instead of looking at privacy compliance as another cost of doing business, organizations should consider it a leading practice that can help them differentiate themselves from competitors.

While GDPR represents an important step forward for individual privacy rights, it will require potentially vast changes and strategic planning by club leaders around the world to fully comply. RSM’s IT privacy methodology can help assess those gaps and provide guidance as you build out your compliance road map for GDPR and the future state of global privacy regulations.

Alain Marcuse, Director, Daimon Geopfert, Principal, Charles, Barley Jr., Director, and Nico Guetatchew, Supervisor, are with RSM US LLP, providing audit, tax and consulting services to private clubs. For more information, contact [email protected] or visit