There is no shortage of blogs, podcasts, articles or opinions about the GDPR and how it is likely to be interpreted when it comes into effect in 2018. The following defines some of the key verbiage commonly used in GDPR discussions.


Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.


The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In general, if you initiated the collection of personal data either directly or indirectly, then your organization is the ‘controller’ and liable under GDPR.  Running a website, collecting customer data for a marketing campaign, interacting with your customers in a structured way, providing downloads in exchange for registration – all of these would be examples of your organization collecting data and acting as a ‘controller’. 

Personal data

Any information relating to an identified or identifiable natural person (‘data subject’): an identifiable natural person is one who can be identified, directly or indirectly, by a name, an identification number, location data, an online identifier or to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.  If you are a ‘controller’ or ‘processor’ of personal data in an EU country, GDPR will apply to you for any data subject, regardless of their physical location.  If you are a ‘controller’ or ‘processor’ anywhere in the world and you process personal data of a data subject that is a resident in the EU, then GDPR will apply to you. There is no distinction between Business to Consumer (B2C) and Business to Business (B2B) personal data in this respect.

Personal data breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.


Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.  That will cover all IT systems that contain personal data, regardless of whether those systems are on your own site, in a cloud or provided by a processor.


A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. If you provide a service or system for your clients that has their customers’ personal data contained in it, then you are a processor and are subject to the law. Examples of this are a market research, marketing agency or a third-party service provider handling customer data on a company’s behalf. A controller will want to work closely with a processor (and may demand not only good GDPR compliance documentation but also liability responsibilities) to ensure they and the processor are compliant with GDPR. The personal data the processor has about their client contacts makes them the ‘controller’ of that data.


Any form of automated processing of personal data consisting of the use of personal data relating to a natural person, in particular to analyse or predict that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.  If you are using any sort of rules like machine learning, advanced analytics or AI in any of your IT systems and if those use personal data, then there is profiling being performed.


A natural or legal person, public authority, agency or another body, to which the personal data is disclosed.


A legal act of the European Union which, on enactment becomes enforceable as law in all member states simultaneously. This is from May 25th, 2018 after a two-year transition period and, unlike a directive, it does not require any enabling legislation to be passed by national governments and is thus directly binding and applicable.  So this is a law that could affect you. Whether your organization is affected by this regulation depends on whether you process ‘personal data’.

Restriction of Processing

The marking of stored personal data with the aim of limiting their processing in the future.  This is a fundamental tenet of the new regulation where you should only collect and use personal data when it is absolutely needed.

Special Categories of Personal Data

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. There are exceptions in Article 9, but in general it is prohibited to process such data. Since it was not forbidden in the past, you may have inadvertently collected and be using such data.

And from Impexium…We’re here to help. Our industry-leading Association Management Solution (AMS) powers the association industry’s most forward-thinking and innovative organizations. We look forward to working together to make your organization’s GDPR journey a successful one.

Related Blogs

Bill McMoil: How This Changemaker is Confident With His New AMS.

Why RAPS is Confident With Their New AMS Selection

See how this Association Technology Disruptor implemented a new AMS for the Regulatory Affairs Professionals Society (RAPS).
What You Need to Know About General Data Protection Regulation

What You Need to Know About General Data Protection Regulation

The EU passed the world's strongest law aimed at strengthening citizen's fundamental rights: data protection. Here's what you need to...
What Metrics Should You be Tracking at Your Association?

What Metrics Should You be Tracking at Your Association?

Measure the actual engagement of your membership base - not just overall participation. We're sharing useful metrics to watch and...
What Do You Mean When You Say Integration?

What Do You Mean When You Say Integration?

Integration is a word we hear a lot when discussing association websites. To clear any confusion, we broke down the...


  • “…very excited because of the possibilities that I see for NADA moving forward, the ability to give our executives the information, any intelligence that they need in order to help our members better…the ability to simplify the whole application ecosystem, removing unbelievable complexity and bringing simplicity to the application.”

    Rafael Maldonado NADA
    Rafael Maldonado
    Former CIO at NADA
  • “…Impexium has allowed us to significantly improve our processes and procedures. We’ve automated quite a lot with Impexium and removed a number of manual processes that we had before. And staff are very happy about that.”

    Impexium RAPS Case Study
    Wendy Sahli
    Technology at RAPS
  • “I like the fact that by using Impexium versus our previous system, we will be able to reduce staff’s workload. As a result, NAADAC’s staff will be happy, feel more capable and competent…in serving our members.”

    Cynthia Moreno Tuohy NAADAC
    Cynthia Moreno Tuohy
    Executive Director at NAADAC
  • “I found Impexium to be more modern, more sophisticated, more user friendly, more intuitive.”

    Jeff Sventek AsMA
    Jeff Sventek
    Executive Director at AsMA
  • “We wanted a partner that would grow with us and one that could innovate with us. Impexium checked all those boxes. They took us from outdated to automated.”

    Laurie Bollig CoSIDA
    Laurie Bollig
    Director of Membership Engagement at CoSIDA
  • “You have to have a support team that communicates clearly, is a good listener, is patient and can really handle the problem solving…I have been really pleased with Impexium’s support. They are on-top-of things responsive…I know they will stick with me until we figure it out.”

    Kelly Webb FCLB
    Kelly Webb
    PR & Pace Coordinator at FCLB

Let's See If Impexium Is The Right Fit For Your Organization!

Trade associations, professional societies, and non-profits of all sizes have transformed their businesses and exceeded member expectations with Impexium’s membership management software. Request a personalized demo today.