Before you read: Firefly Partners is a digital strategy agency. We are not lawyers. This blog post is based on our research but should not be considered legal advice.
If you’re a nonprofit marketing, database, or IT specialist you’ve definitely heard of GDPR. It stands for General Data Protection Regulation and it is legislation from the European Union (EU) designed to protect individuals’ personal data. GDPR goes into effect on May 25, 2018.
Even if you work at a U.S. nonprofit, keep in mind that there are some steps that U.S-based organizations can or should take to comply with GDPR. It’s also worth understanding because the legislation marks a significant moment in the evolution of communication in the digital age, in which individuals are given more control over their personal data. This blog post will help you determine if GDPR is something your organization needs to think about and will provide suggestions for next steps you can take.
GDPR in a Nutshell
GDPR is a set of rules that give citizens of the EU more control over their personal information. GDPR requires companies and organizations to obtain consent from constituents and gives individuals the right to remove their personal information from a company or organization’s file. If you’re wondering what is included under the concept of personal data, best to consult the GDPR website directly: “It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
Under the new GDPR laws, organizations must communicate clearly how EU citizens can go about withdrawing their consent from the organization. Once an organization has the data and the consent, it can’t change the purpose or use of that data. If there is a change to how an organization plans to use personal information, consent must be requested and given again.
Do You Need to Worry About GDPR if You Work at a U.S.-Based Nonprofit?
The answer is: Maybe. Organizations that have personal information of individuals living in the EU, and that want to continue to communicate with those people, need to get their consent to do so before GDPR takes effect on May 25, 2018.
Do you do direct targeting or marketing to EU citizens? Then the answer is more clearly yes. This includes having a website or ads that specifically target countries in the EU, either with an EU domain or language. Organizations that have a significant international profile may want to be more vigilant about GDPR compliance. There are specific rules to follow for data breaches and the audit process could result in expensive penalties if an organization is found out of compliance.
Even if You Think You’re Not Affected…
For small U.S.-based nonprofits without EU constituents, complying with GDPR could be the right move, even if you don’t get everything done by May 25. Being communicative and transparent with all your supporters about why you’re asking for their information, how you protect it, and what you’re planning to do with it can help establish your organization’s reputation as honest and trustworthy. You don’t have to panic about the deadline, but you might want to consider some of the actions GDPR compliance requires.
Next Steps if You Need Them
GDPR will change the way nonprofits collect information and how they build and use web and communication tools. Here are some of the specific actions that organizations are taking in order to comply, many of which could be best practices to adopt even if you have no EU citizens on your email list:
- Opt-in language – Email opt-in language must be accompanied by a check box or button, which cannot be pre-checked. Also, it must be clearly stated what you’re planning to do with the personal information you collect. GDPR requires that the request for consent be easy to understand and access, “using clear and plain language.” So you can’t bury your privacy policy in a hard to find place, or litter it with confusing terminology.
- IP Addresses – The goal of GDPR is to protect private information, so it makes sense that IP addresses are included. You can learn more about IP Anonymization in Google Analytics here.
- Cookies – The same goes for cookies, data from a website that is stored on a user’s computer. Investigate tools like Cookie Consent or Cookie Control that ask people for permission before putting cookies on their browser.
- Keep records – GDPR requires that organizations have clear proof of consent for EU constituents on their mailing lists.
- Talk to your vendors – Many nonprofits work with third party vendors who have access to their data. It’s worth discussing with those companies their security policies.
- Find a point person – Managing GDPR compliance, even if you’re not rushing to do it before May 25, can be a big job. Think about your organization’s capacity to achieve some of these goals and have a plan for how to respond to any issues that may pop up.
- Discuss your specific situation with your lawyer – A lawyer is best positioned to make final recommendations about your organization’s data handling and compliance requirements.
It’s worth thinking about GDPR as more than just a set of complicated rules and regulations, and to see it instead as an opportunity to strengthen data and communication strategies. As your nonprofit thinks about future projects, such as custom donation forms, website redesigns, or Google Analytics tracking, Firefly Partners can help make sure you’re lining up with the essential goal of GDPR: giving individuals the right to control their personal data.