GDPR Legislation in the Context of an AMS

The following looks at the new GDPR legislation in the context of a AMS system. It examines important capabilities the AMS must provide to support GDPR compliance around capturing data and processing.

Article 9:  Processing of special categories of personal data. Provide the capability to: • Mark any identified special category personal data and to restrict access and use of such data. • Associate a record of lawful processing based on one of the 10 exceptions listed in Article 9.

Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject • For any requests that data subjects have regarding personal data, the AMS should provide capabilities to provide the information in an easily understandable format. • The AMS should document the fact that this request has been made as well as executed.   

Article 16:  Right to rectification • If a data subject requests that inaccurate information contained be corrected and if that information is contained in the AMS system, then the controller needs to correct this data and provide a record that this process has occurred. • Capabilities to notify the data subject that the inaccurate information has been corrected in the AMS.

Article 17:  Right to erasure • If a data subject requires data to be erased then the AMS must be able to do the following: i. If valid, erase the data and send a confirmation to the data subject and attach a data entry to the data subject’s record that this has occurred ii. If invalid, then send a notification to the data subject and attach a data entry to the EU resident’s record that this has not occurred. 

Article 18:  Right to restriction • If a data subject invokes Article 16 or 17 where the AMS is involved and the request requires time for investigation before a decision can be made, then the AMS should provide capabilities that temporarily removes that information from use by authorized individuals. • The data subject should be notified, and a record of that notification should be captured.

Article 19:  Notification obligation • If any rectification or erasure of personal data or restriction of processing was carried out in accordance with the above articles, then the controller must notify each recipient to whom the personal data have been disclosed of the exact rectification, erasure or restriction.  The AMS system should provide the capability to notify these recipients. • The controller shall also inform the data subject about those recipients if the data subject requests it.   The fact that the EU resident has requested this should be acknowledged and tracked by the AMS.

Article 20:  Right to portability • A data subject has the right to have their personal data transferred to another provider. While the AMS system may not be the primary source of this information (telephone numbers, health records, bank transfer details, etc.), it might be used to consolidate this data. If this is

the case then the AMS system should provide the capability to provide the required information in a form that can be transferred to an alternate provider. • The data subject should be notified, and a record of that notification should be captured.

Article 21: Right to object • If the AMS uses any form of automated decision making (such as next best product, next best offer, risk assessment, potential for purchase, etc. for any type of profiling purposes) that uses personal data and the data subject objects to that information being used, then the AMS system should have the capability to eliminate that personal data being used for the automated decision making. • The fact that the data subject has requested this should be acknowledged and tracked by the AMS.

Article 25: Ability to limit access to personal data.  Provide the capability to: • Identify and mark exactly what personal data is contained within the AMS. • Set up specific access groups of individuals and other IT systems on a need to process/need to know basis. • Ensure only the minimum amount of personal data is actually surfaced to each group of individuals or other IT systems to complete required tasks. • Generate reports showing which personal data was accessible to which groups.

Article 34: Notification of a data breach • When a personal data breach is likely to result in a high risk to the rights and freedoms of the data subject, the controller shall communicate the personal data breach to the data subject without undue delay. • The fact that a breach has happened should be acknowledged and tracked by the AMS.

And from Impexium…We’re here to help. At Impexium, we started to think about how GDPR would be measured and tested in early 2017. Since then, we’ve been working on becoming GDPR ready. And today, our industry-leading Association Management Solution (AMS) powers the association industry’s most forward-thinking and innovative organizations. We look forward to working together to make your organization’s GDPR journey a successful one.

Related Blogs

Make Your Members Fall in Love With You All Over Again Through Marketing Automation

Make Your Members Fall in Love With You All Over Again Through Marketing Automation

In today's Valentine's Day themed post, we explore how to rekindle that love affair between your association and your members....
Is It Time to Adopt a Video-First Content Strategy?

Is It Time to Adopt a Video-First Content Strategy?

Graphic, audio and video content are being produced and consumed at an unprecedented rate, as the providers of these media...
How to Increase Your Email Open Rates

How to Increase Your Email Open Rates

The average email open rate for associations is 36%. That’s 64% of your audience that doesn’t even get a chance...
Technology Tips for Associations

Technology Tips for Associations

Technology may be ever-changing, but one thing that remains constant is its importance, in terms of marketing to and connecting...


  • “…Impexium has allowed us to significantly improve our processes and procedures. We’ve automated quite a lot with Impexium and removed a number of manual processes that we had before. And staff are very happy about that.”

    Impexium RAPS Case Study
    Wendy Sahli
    Technology at RAPS
  • “…very excited because of the possibilities that I see for NADA moving forward, the ability to give our executives the information, any intelligence that they need in order to help our members better…the ability to simplify the whole application ecosystem, removing unbelievable complexity and bringing simplicity to the application.”

    Rafael Maldonado NADA
    Rafael Maldonado
    Former CIO at NADA
  • “I like the fact that by using Impexium versus our previous system, we will be able to reduce staff’s workload. As a result, NAADAC’s staff will be happy, feel more capable and competent…in serving our members.”

    Cynthia Moreno Tuohy NAADAC
    Cynthia Moreno Tuohy
    Executive Director at NAADAC
  • “I found Impexium to be more modern, more sophisticated, more user friendly, more intuitive.”

    Jeff Sventek AsMA
    Jeff Sventek
    Executive Director at AsMA
  • “We wanted a partner that would grow with us and one that could innovate with us. Impexium checked all those boxes. They took us from outdated to automated.”

    Laurie Bollig CoSIDA
    Laurie Bollig
    Director of Membership Engagement at CoSIDA
  • “What impresses me the most about Impexium is the ease of use…Everything I need in Impexium is one-click away.”

    James Brannigan, NYSAE
    James Brannigan
    Associate Director at NYSAE
  • “You have to have a support team that communicates clearly, is a good listener, is patient and can really handle the problem solving…I have been really pleased with Impexium’s support. They are on-top-of things responsive…I know they will stick with me until we figure it out.”

    Kelly Webb FCLB
    Kelly Webb
    PR & Pace Coordinator at FCLB

Let's See If Impexium Is The Right Fit For Your Organization!

Trade associations, professional societies, and non-profits of all sizes have transformed their businesses and exceeded member expectations with Impexium’s membership management software. Request a personalized demo today.