Editor’s Note: As Europe prepares for the General Data Protection Regulations (GDPR) that take effect later this month, American nonprofits are wondering how the rules might affect them. Our friends at Beaconfire RED recently published a series of blog posts addressing that very question, and they generously agreed to let us republish the first post, written by Lynn Labieniec, here. At the end, you’ll find additional resources as well as a link the Beaconfire RED site where you can read the next posts in the series.
Do you have European constituents in your databases? If so, there are new laws that may apply to your organization called the GDPR or General Data Protection Regulations. And if you think they don’t apply to you because yours is a U.S.-based organization, keep reading because they do.
Before we dive into what GDPR is all about, let me point out that I am not a lawyer. My interpretation of GDPR should be considered with that in mind. That said, much of what is outlined here jibes with what we’re hearing from various experts.
What is GDPR?
The General Data Protection Regulations (GDPR) are laws designed to make sure people have control over their personal information and what it is being used for. The laws cover how people are informed of how the data is used, how they consent to its use (or limit use), the right to “be forgotten,” to export their data, and to seek damages if they suffer from misuse or breach of their data. It means that organizations need to receive explicit permission to store personal data, store it responsibly, and be transparent about how they are storing it.
What qualifies as “personal information”?
- Email addresses
- IP addresses
- Identification numbers
- Biometric identifiers (fingerprints, iris patterns, DNA)
- Physical or physiological attributes
- Medical/health information
- Website cookies
Who does this affect?
- GDPR will affect any organization that:
- Collects personal data or behavioral information from a citizen of the European Union (EU) for any purpose, whether that be membership, advocacy, fundraising, programs, marketing or even HR if you have EU employees;
- Targets a person in an EU country – e.g., marketing in their language and references specific to EU residents;
- Accepts currency of an EU country;
- Has a domain suffix of an EU country.
Who is not affected?
- Organizations who do generic marketing that an EU citizen randomly happens to see sees (e.g., an online ad or a website they come across using a search engine) – so you’re not deliberately targeting them…
- English-language web sites or ads written for U.S. consumers or B2B customers that an EU citizen sees
What happens if you can’t meet the deadline?
- Fines up to 20M Euro or 4 percent of global annual revenue
When does this go into effect?
- May 25, 2018
How will the laws be governed?
It’s our understanding that an organization could be audited. I do not know what the likelihood or basis for the audit would be – but I imagine something like a high incidence of consumer complaints could kick one off. It would also be a reasonable expectation that high-profile companies and NGO’s could be in the auditor’s radar.
What do we do now?
Due to the potential for serious fines and penalties, we recommend that all organizations – even those that are U.S.-based and deliver services only in the U.S. – should conduct an assessment of their own data processes to identify if GDPR applies to them.
The first step is to determine whether someone in your organization has the responsibility for data protection (e.g., CIO). If so, touch base with them and see if this is on their radar and what their plan is. If there is no one specifically responsible for data protection at your organization, reach out to senior leadership and make sure that GDPR is on their radar. These new regulations go into effect in only a few months, so time is of the essence.
The next step is to do an assessment on what you have today and how well it’s meeting the GDPR regulations:
- Data (what do we have, where is it, who has access to it, etc.)
- Security (how are the databases protected, what are our procedures, etc.)
- Contracts (with third-party vendors who have access to or process the data)
- Privacy policies
- Cookie policies
Once you have your arms around what you have now and where you are not meeting GDPR regulations, you can make a plan for what needs to change.
Want to learn more?
We’ve broken down what GDPR means for your website and digital marketing in two other blog posts. (For example, the do’s and dont’s of consent, GDPR and cookies, and what this all means for analytics.) You can also watch the recording of the webinar we held to explore these topics in more depth.
As you seek more information on GDPR and how it applies to your organization, here are some third-party resources that I have found particularly useful. Don’t forget that your senior leadership, legal counsel, and the person responsible for data security are important internal resources to help you plan for and comply with GDPR.
- Guide to General Data Protection Regulation (GDPR) created by the Information Commissioner’s Office, an independent authority in the UK
- European Union official articles
- Microsoft White Paper
- Institute of Fundraising GDPR Spotlight on Fundraising
Articles with advice & guidance:
- What is the GDPR? And What Does it Mean for the Marketing Industry?
Written by HubSpot, https://blog.hubspot.com/marketing/what-is-the-gdpr
- Nonprofit Times article
- Direct Marketing Association UK articles
- GDPR Consent or legitimate interest? Email marketers need both
- Collection of other articles: https://dma.org.uk/gdpr
- Sample Internal Briefing document from MobLab, shared by Ted Fickes – http://moblab.io/gdpr