General Data Protection Regulation


GDPR: What You Need To Know

Briteweb May 18, 2018

You might have heard of the GDPR (General Data Protection Regulation), a new European-wide law that places greater obligations on how organizations handle personal data. As with any regulation, understanding how it applies to you can be challenging. The good news is, we’ve done the research and will walk you through some basics so you can be prepared when the GDPR comes into effect on May 25, 2018.

What Is the GDPR?

The GDPR was designed to regulate data collection and protect the privacy of individuals across the European Union, Iceland, Liechtenstein or Norway (EEA). It makes organizations accountable for personal data protection by placing the burden of proof on organizations when it relates to whether, how and how well they protect personal data.

These laws apply not only to EU-based organizations, but to all organizations that have customers, contacts, or users in the EU. This means that these new laws affect all of us, and if your organization is not compliant by this date, you run the risk of being fined up to €20 million.

What Is Considered “Personal Data”?

“The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”

This includes:

  • Name
  • Address
  • Location Data
  • Identification Number

“Any online identifier related to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

So in short, pretty much anything is personal data.

How It Can Affect Your Organization

If you do business in Europe or collect data from EU citizens, then the GDPR does affect you. Some examples of this might be if your organization:

  • Has people from the EU on your email lists or in your supporter database
  • Has signup forms that allow users to specify that they’re from another country or enter a non-US or Canadian address
  • Has donation forms that allow people to donate from another country or in a European currency
  • Has volunteer databases with contact information

What Can You Do To Prepare?

Ensure all opt-in forms are GDPR compliant

GDPR says consent to use a person’s data in any way (including contacting them) must be “freely given, specific, informed, and unambiguous.” Users need to actively opt-in to receive communications from your organization. One example of this would be the option to select a checkbox or click a radio button. Avoid pre-ticked opt-outs.

Get explicit consent for all of the different ways you plan to use someone’s personal data. This includes asks being communicated differently, having separate opt-in checkboxes for email, SMS, Facebook ads, or telephone and linking out to an updated Privacy Policy and Terms of Service that explicitly state how data will be used.

Optimize opt-ins

Have different opt-in options for US and EU citizens:

  • Clients may not want to reduce opt-in rates for US citizens by forcing them to go through GDPR-compliant opt-ins
  • Offer unique opt-ins using IP addresses

Optimize EU opt-in formats:

  • Use Yes/No radio buttons
  • User testing shows higher levels of form completion when Yes/No radio buttons are used over un-ticked checkboxes

Re-opt in any EU supporters before the May 25th deadline

Once GDPR comes into force, your organization will only be able to contact EU citizens on their list who have given consent in a GDPR-compliant format. Reach out to subscribers before the May 25th deadline and ask them to re-opt in. In the EU, organizations are expecting to lose 30-70% of their subscriber lists as soon as the GDPR takes effect. The sooner you have your contacts re-opt in, the more subscribers you’re likely to be able to keep.

Reach out to CRM providers

Contacting your CRM provider will be helpful to better understand how user’s data is being stored and what changes you’ll need to make to become GDPR compliant:

  • Organizations will be required to provide stored records of consent detailing when consent was given and how the data will be used
  • Consent is now time-bound, so a best practice is to refresh lists every two years.  Individuals must be able to have their data deleted which means that all CRMs must have the capacity to delete data permanently
  • Subscribers need to be able to delete specific pieces of their stored info at any time (i.e. only their email, only their phone number, etc.)

Revise the way things are done

Update your development process and workflow to better manage and ensure privacy:

Adhere to the Privacy by Design Framework and apply a procedural reminder to build the “7 user privacy principles” into the development of a product or tool.

Conduct comprehensive Privacy Impact Assessments (PIAs) at the beginning of projects. These are documents where you “discuss, audit, inventory, and mitigate the privacy risks inherent in the data you collect and process.”

Where To Start

The best practice to ensure all the boxes are ticked before the deadline is to perform an audit. This will help ensure that you have a high-level view of where your organization stands and what needs to be done. But time is ticking and we all know how busy things are in the world of social impact. So if you need a hand, we’re here for you!

Briteweb is offering GDPR Privacy Impact Assessments to help gauge the overall impact of GDPR on your organization. This includes an assessment of your website(s) and third-party platforms to:

  • Determine elements of your data-collection practices that are not compliant
  • Provide recommendations for becoming compliant, including which pieces you can do on your own, which pieces Briteweb can help you with, and which pieces might require legal help

If you’re interested in our support to become GDPR compliant (or simply want to learn more about what GDPR means for you), let us know by contacting us.

What's New