This post was originally posted in May 2018. The last update was made in August 2019.
The GDPR (General Data Protection Regulation) is a European-wide law, introduced in May of 2018, that places greater obligations on how organizations handle personal data.
One year later, around half of small businesses are failing GDPR compliance on two crucial requirements:
- Describing data processing activities in clear, plain language to data subjects
- Identifing a lawful basis for using someone’s data
If you are one of millions of organizations on failing to comply, you could face a pretty hefty fine. The good news is, we've done the research and will walk you through some basics so you can ensure your organization is compliant.
What Is the GDPR?
The GDPR was designed to regulate data collection and protect the privacy of individuals across the European Union, Iceland, Liechtenstein or Norway (EEA). It makes organizations accountable for personal data protection by placing the burden of proof on organizations when it relates to whether, how and how well they protect personal data.
These laws apply not only to EU-based organizations, but to all organizations that have customers, contacts, or users in the EU. This means that these new laws affect all of us.
What Is Considered "Personal Data"?
“The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”
- Location Data
- Identification Number
“Any online identifier related to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
So in short, pretty much anything is personal data.
How It Can Affect Your Organization
If you do business in Europe or collect data from EU citizens, then the GDPR does affect you. Some examples of this might be if your organization:
- Has people from the EU on your email lists or in your supporter database
- Has signup forms that allow users to specify that they’re from another country or enter a non-US or Canadian address
- Has donation forms that allow people to donate from another country or in a European currency
- Has volunteer or donor databases with contact information
These regulatiosn are so important that according to GDPR.eu, over half of small businesess/organizations report spending between €1,000 and €50,000 on GDPR compliance, including consultants and technology. Yet despite these costs, most said they did not believe the GDPR would slow the growth of their business/organization.
What Can You Do To Ensure Compliance
Ensure all opt-in forms are GDPR compliant
GDPR says consent to use a person’s data in any way (including contacting them) must be “freely given, specific, informed, and unambiguous.” Users need to actively opt-in to receive communications from your organization. One example of this would be the option to select a checkbox or click a radio button. Avoid pre-ticked opt-outs.
Be ready to erase data when asked to
Privacy is top of mind these days, so it is important that your organization is ready and able to fulfill a request to be forgotten. This right is also known as the right to erasure, which covers the part of the GDPR that considers data protection and storage.
While you may have consent to obtain and store personal information, people have the right to have that data erased. This however, isn't a black and white rule. Both the person and the organization have rights that must be considered before any action is taken.
For example, if the data is no longer necessary for the purpose the organization originally collected for, the person has the right to have their personal data erased upon verbal or written request. On the contrary, the organization may deny the request or request a nominal fee to do so if the data serves public interest (and a long list of other reasons).
Be ready by keeping the following in mind:
- Know how and where personal data is stored by creating a checklist of personal data storage locations (ie. a CRM, hard-copy files, email lists)
- Discuss and make decisions as a team as to how to assess when requests to be forgotten can be processed and when they can be denied
- Appoint a person to be responsible for ensuring the data erasure is done in a timely manner and the person has received confirmation
Have different opt-in options for US and EU citizens:
- Clients may not want to reduce opt-in rates for US citizens by forcing them to go through GDPR-compliant opt-ins
- Offer unique opt-ins using IP addresses
Optimize EU opt-in formats:
- Use Yes/No radio buttons
- User testing shows higher levels of form completion when Yes/No radio buttons are used over un-ticked checkboxes
Reach out to CRM providers
Contacting your CRM provider will be helpful to better understand how user’s data is being stored and what changes you'll need to make to become GDPR compliant:
- Organizations will be required to provide stored records of consent detailing when consent was given and how the data will be used
- Consent is now time-bound, so a best practice is to refresh lists every two years. Individuals must be able to have their data deleted which means that all CRMs must have the capacity to delete data permanently
- Subscribers need to be able to delete specific pieces of their stored info at any time (i.e. only their email, only their phone number, etc.)
Revise the way things are done
Update your development process and workflow to better manage and ensure privacy:
Conduct comprehensive Privacy Impact Assessments (PIAs) at the beginning of projects. These are documents where you “discuss, audit, inventory, and mitigate the privacy risks inherent in the data you collect and process.”
Re-opt-in your supporters, even a year past the deadline
With GDPR in full effect, your organization is only permitted to contact EU citizens on your lists who have given consent in a GDPR-compliant format. Most EU organizations have lost 30-70% of their subscriber lists as soon as the GDPR took effect. So, if you missed the May 25, 2018 deadline, there is still hope to get your subscribers back.
If you weren't able to ask your subscribers to re-opt-in by the deadline and you are still communicating with them without their revised consent, it may be time to clean up your list to avoid being fined. It's not too late.
Once you have cleaned up your list, you can start getting your supporters back. One effective way to do this is to offer engaging and useful content. Providing value to your supporters will encourage them to re-subscribe to your newsletter and give you their email and permission to contact them in exchange for a useful tool or resource. Save time and resources by starting with a content audit and repurpose with what you already have.
The best practice to ensure all the boxes are ticked is to perform an audit. This will help ensure that you have a high-level view of where your organization stands and what needs to be done. We all know how busy things are in the world of social impact. So if you need a hand, we're here for you!
Briteweb offers GDPR Privacy Impact Assessments to help gauge the overall impact of GDPR on your organization. This includes an assessment of your website(s) and third-party platforms to:
- Determine elements of your data-collection practices that are not compliant
- Provide recommendations for becoming compliant, including which pieces you can do on your own, which pieces Briteweb can help you with, and which pieces might require legal help
If you're interested in our support to become GDPR compliant (or simply want to learn more about what GDPR means for you), let us know by contacting us.