GDPR, which went into effect on May 25, 2018, is a topic that is going to continue to come up in the news this year now that policies have gone into effect in the European Union. Also known as the General Data Protection Regulation, GDPR is a standardized set of rules and expectations for how the data of EU citizens should be handled. Violations of these regulations can come with a fine of up to €20 million or 4% of the worldwide annual revenue of the violator’s prior fiscal year — whichever is higher.
For those wondering why now, the simplest answer is that the protection and privacy of our global data has essentially been a wild west. GDPR was passed on April 14, 2016, thereby replacing the 1995 Data Protection Directive — adopted in a much different time when it came to what information we “gave” to the Internet. As such, the pendulum of data protection history is finally starting to swing back toward protecting individuals versus corporations and Big Internet.
So why do we need to care here in the United States? And how does this apply to nonprofits? The purpose of this resource is not to report the details of how and why the GDPR is imposing these rules. Instead, this is a focused resource to give you a base level understanding of the policy itself, along with clear action steps that any US nonprofit should take.
But first, a disclaimer: This topic is loaded with rabbit holes and it is important to note that this is not legal advice. We are not lawyers, this is not meant as a substitute for legal advice.
Okay, let’s go…
Does GDPR apply to U.S. nonprofits?
Odds are high that yes, GDPR applies to a U.S. nonprofit.
There are a ton of other rules that you could go through, but the broadest test is this: If your nonprofit has a public website that uses Google Analytics or any other type of cookie tracking that receives traffic from one of the EU member states, you are responsible for adhering to GDPR policy. Another good litmus test: If your nonprofit has donors based in the EU, then GDPR also applies to your nonprofit.
The 8 principles of GDPR
So what are the regulations behind GDPR? They’re broken down into 8 major principles:
1. The right to access
This means that individuals have the right to request access to their personal data and to ask how their data is used by an organization after it has been gathered. The company must provide a copy of the personal data, free of charge, and in electronic format if requested.
2. The right to be forgotten
If consumers are no longer customers, or if they withdraw their consent from a company to use their personal data, then they have the right to have their data deleted.
3. The right to data portability
Individuals have a right to transfer their data from one service provider to another. And it must happen in a commonly used and machine-readable format.
4. The right to be informed
This covers any gathering of data by companies, and individuals must be informed before data is gathered. Consumers have to opt-in for their data to be gathered, and consent must be freely given rather than implied.
5. The right to have information corrected
This ensures that individuals can have their data updated if it is out of date or incomplete or incorrect.
6. The right to restrict processing
Individuals can request that their data is not used for processing. Their record can remain in place, but not be used.
7. The right to object
This includes the right of individuals to stop the processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very start of any communication.
8. The right to be notified
If there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.
We’re past May 25, so what happens now?
The internet isn’t ending. There will be a shake-out period where the legal jargon will meet with real-world practice. Decide how at-risk your organization is based on EU proximity and funding dependence.
Watch how major international nonprofits like TechSoup Global, Amnesty International, or Greenpeace — ones with high visibility among EU citizens and large budgets and name-values proceed. It might also take some time before the European Union’s regulatory process begins to scrutinize many US organizations. Based on a report by Reuters, most regulators do not feel ready for these new privacy laws.
At Whole Whale, we’re excited about the changes that will come into effect through GDPR as we believe this is a great opportunity to update your privacy policies and protect your users for the right reasons. See below for a podcast that goes more in-depth on this with Lucy Bernholz, Director of the Digital Civil Society Lab at Stanford PACS.
Using the Whole Whale, Episode 093: All about GDPR with the Stanford Center on Philanthropy and Civil Society.
We’ll continue to stay on top of changes and decisions that will impact the sector’s work.
GDPR: What to do next
- Appoint an internal GDPR captain (Data Controller) so that there is distinct ownership over compliance. While everyone will have a hand in following new policy, there also needs to be someone who “owns” it on the whole. We recommend taking the Hubspot’s free GDPR course to have a full understanding of the policy and what the role of a data controller is.
- Audit your data. Perform a data audit and inventory with digitalimpact.io. This can be done in a few minutes with the right people in the room. From this audit, identify all of your organization’s data processors and request their updated GDPR policies.
- Understand the risk. Your new GDPR captain (Data Controller) should then review the EU Information Commissioner’s Office (ICO) official GDPR checklist with an eye to what areas will be the most sensitive for your organization. Create a risk assessment of your inventory to better understand the level of investment needed and create.
- Talk to a lawyer. Try to find a pro-bono lawyer to join your board (legal fees can add up). Ask about whether you need to add or update a cookie disclaimer, especially if your website targets EU citizens. For example, nonprofits like Amnesty International have a popup statement on cookies. As of this writing, VolunteerMatch.org, which focuses on US volunteering and therefore doesn’t target EU citizens, does not.
- Prevention and protection. Most of your prep for GDPR will probably be a reactive activity meant to cover legal threats based on the organization’s conduct. Whole Whale created a Cybersecurity Course that will help everyone on your staff build tech capacity and help safeguard against attacks that lead to the most common data breaches.
Whole Whale University: Understanding and Improving Cybersecurity for Nonprofits
Email Marketing and GDPR
Email is another area that will be especially relevant to GDPR compliance. Audit your list with the following question in mind: Did your subscribers give GDPR-level consent when signing up for your email list, and do you have a record of this in your CRM?
If the answer is no or unclear, one option is to run a re-permission campaign. This is when an organization emails their full list asking users to resubscribe — if a subscriber does not confirm their desire to receive emails, they’re removed. This is the most extreme case of email compliance with GDPR as it can drastically reduce the number of email subscribers, especially those who may want to continue receiving emails but don’t open their email or read carefully.
Other organizations in recent months have simply sent subscribers an alert about updated privacy policies with a reminder about opting out through standard methods. In this case, these groups know there was a double opt-in and that best practice email policies were already in place. This is our recommended path if your organization is choosing to email subscribers regarding GDPR compliance.
Moving forward, your email marketing strategies should include:
- Opt-out or unsubscribe options: These must be present in all emails and on your website’s privacy page
- Keeping a record and audit trail of confirmed consent of everyone on your list. Most standard providers like MailChimp do this.
- Updated forms, where consent requires users to actively click a checkbox and not have one pre-filled.
- More details on email marketing under GDPR can be found on Litmus.com.