As many of you know, GDPR is coming on May 25, and lots of people are still preparing for the new privacy laws, and I wanted to write a blog post specifically addressed to nonprofit leaders who feel like they need more background on what GDPR means for them. So, what follows are the top twelve things that nonprofits need to know in order to be prepared for GDPR:
- First, GDPR is all about “data protection,” which means that it applies to any “personal data” that you collect on your website OR by other means. If you maintain an email list, a list of donors, or a any other type of personal data, GDPR applies to you.
- Second, the penalties (from the European Union) apply to nonprofits as well as private companies, and they are very steep: 4% of global revenue or €20m euros, whichever is greater. There is no nonprofit exemption for this.
- Third, GDPR is a European law, but it is written in such a way that it can apply to any organizations that collect data on EU citizens, which is why I recommend speaking to your own legal counsel.
- Fourth, it is quite possible that the United States (for example, this ballot initiative in California) will follow the EU and issue similar rules, so complying with GDPR may simply keep you ahead of US-based privacy laws.
- Fifth, you need to know what is “defined” as personal data, and there are 9 important things:
- Social Security numbers
- Email addresses
- Banking information
- Social media posts
- Medical information
- IP addresses, and in some cases other website data like “cookies”
- Practically speaking, this means several things for nonprofits — the first of which is that you need to obtain consent from individuals when collecting data. In other words, you’ll need to add extra checkboxes to your website forms, for one thing.
- The second legal requirement is that you can’t collect excessive data from individuals — for example, you can’t require that someone provide you with a phone number in order to allow them to download a PDF white paper, or to give you their marital status when making a donation.
- The third legal requirement is that you cam’t keep data longer than necessary. This means that you are supposed to delete data after you use it. One practical implication of this is that many companies are adding a checkbox on their forms that allow visitors to indicate whether they want their data to be stored longterm.
- The fourth requirement is that consent must be “proactive” — you can’t have a checkbox that is defaulted to “Yes.” For instance, a donor must actively check . box that says something like, “Yes, I agree…”
- The sixth requirement is that there must be a process in place for individuals to request that all of their personal data be deleted at any point within 30 days. To me, this is essentially a much more formal “unsubscribe” or “do not contact” process.
- Furthermore, organizations must have a plan for dealing with data breaches, which involves contacting the appropriate authorities within 72 hours.
In my opinion, these twelve points above are the most important things to know about GDPR if you are a nonprofit leader, but I do recommend speaking to a legal counsel before making changes or decisions on how you want to proceed with compliance, but hopefully this will help you understand your options in the coming weeks.
We created Royku to train marketers in data-driven marketing.