Subscription records, member directories, and benefit eligibility data — membership organisations have specific GDPR obligations.
Originally published at app.custodia-privacy.com
Membership organisations — professional associations, trade bodies, learned societies, sports clubs, alumni networks — occupy a distinctive position under GDPR. Unlike a retailer who processes customer data transactionally, or a SaaS company that processes user data in the background, a membership organisation has an ongoing, multi-dimensional relationship with each member.
Why Membership Organisations Are Data Controllers with Ongoing Obligations
Under GDPR, any organisation that determines the purposes and means of processing personal data is a data controller. Membership organisations are unambiguously data controllers — they decide what member data to collect, how to use it, who to share it with, and how long to keep it.
What makes membership organisations distinctive is the continuity of the relationship. Data processing does not begin and end with a single transaction. Each member is processed at the point of application and onboarding, continuously throughout active membership (renewal cycles, benefit claims, event attendance), at renewal and lapse points, and after membership ends.
Types of Member Data You Process
Most membership organisations process a wider range of personal data than they initially recognise:
- Member profiles: Name, contact details, employer, job title, professional registration numbers, membership grade
- Payment records: Subscription payment history, invoice addresses, bank details or card tokens, Gift Aid declarations
- Professional qualifications: Degree certificates, credentials, registration numbers, CPD records, competency assessments
- Benefit claims: Insurance claims data, legal helpline usage logs, medical assistance records
- Event attendance: Conference bookings, seminar attendance, dietary requirements and access needs (special category health data)
- CPD records: Hours logged, learning activities, assessment results, reflective practice logs
- Disciplinary history: Complaints received, investigation records, panel decisions, sanctions, public register entries
Dietary requirements and access needs are special category data under Article 9. Disciplinary records involving misconduct findings that could constitute criminal offences fall under Article 10 — both require heightened care.
Member Directories: Consent or Legitimate Interest?
Many professional associations publish directories — publicly accessible listings of members with their contact details, qualifications, and employer. Directories serve a genuine public interest.
When legitimate interest applies: Legitimate interest (Article 6(1)(f)) is appropriate when directory publication is core to the purpose of the association and when members reasonably expect their details to be listed. A law society listing solicitors or an engineering institution listing chartered engineers can typically rely on legitimate interest.
When consent is required: If directory listing is optional, or if you are sharing contact details beyond what members would reasonably expect, you should obtain explicit consent. Members must be able to opt out without affecting their substantive membership rights.
Disciplinary Proceedings: Article 10 Data
Disciplinary proceedings in professional associations frequently involve conduct that could constitute criminal offences. GDPR treats this data with special care under Article 10.
In the UK, Schedule 1 of the Data Protection Act 2018 lists when processing offence data is permitted. For professional associations, the regulatory activity condition is most relevant.
Practical requirements:
- Maintain a separate, restricted log of disciplinary proceedings
- Do not retain investigation materials beyond the appeal period
- Where outcomes are published on a public register, ensure publication is clearly authorised by your regulatory framework
Lapsed and Former Members: Retention Periods
When a member lapses, data does not immediately lose its purpose. Typical retention justifications:
- Renewal: 12–24 months on legitimate interest
- Insurance claims: Six years (potential claim window)
- Disciplinary history: Six to seven years for professional conduct matters
- Accounting records: Six years under UK tax law
Former members retain all their data subject rights — including the right to access, correct, and (subject to retention exceptions) erase their records.
Membership Management Platforms as Data Processors
Wild Apricot, MemberSpace, Glue Up, Memberstack, and similar platforms are data processors under Article 28 of GDPR. Before using any platform:
- Sign a Data Processing Agreement
- Review the sub-processor list
- Check data residency (UK/EEA transfers require safeguards)
- Verify complete deletion capabilities for erasure requests
Compliance Checklist
Small Associations
- Privacy notice on website covering lawful basis, sharing, retention, and member rights
- DPA signed with membership management platform
- Cookie consent before analytics loads
- Member directory opt-out available
- DSAR process documented (30-day deadline)
- Retention schedule for lapsed members
Large Professional Bodies
All of the above, plus:
- Record of Processing Activities (RoPA) under Article 30
- Legitimate Interests Assessments documented
- Article 10 compliance review for disciplinary data
- DPAs with all benefit providers
- Data breach response plan (72-hour ICO notification)
- Consider whether a DPO is required under Article 37
Run a free compliance scan at app.custodia-privacy.com/scan to identify consent failures, unexpected trackers, and missing disclosures on your website. No signup required — results in 60 seconds.
This guide is for informational purposes and does not constitute legal advice.
Top comments (0)