GDPR Compliance: What You Need To Know

The GDPR (General Data Protection Regulation) is a European-wide law, introduced in May of 2018, that places greater obligations on how organizations handle personal data.

One year later, around half of small businesses are failing GDPR compliance on two crucial requirements:

If you are one of millions of organizations failing to comply, you could face a pretty hefty fine. The good news is, we’ve done the research and will walk you through some basics so you can ensure your organization is compliant.

The GDPR was designed to regulate data collection and protect the privacy of individuals across the European Union, Iceland, Liechtenstein or Norway (EEA). It makes organizations accountable for personal data protection by placing the burden of proof on organizations when it relates to whether, how and how well they protect personal data.

These laws apply not only to EU-based organizations, but to all organizations that have customers, contacts, or users in the EU. This means that these new laws affect all of us.

“The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”

This includes:

So in short, pretty much anything is personal data.

If you do business in Europe or collect data from EU citizens, then the GDPR does affect you. Some examples of this might be if your organization:

These regulations are so important that according to GDPR.eu, over half of small businesses/organizations report spending between €1,000 and €50,000 on GDPR compliance, including consultants and technology. Yet despite these costs, most said they did not believe the GDPR would slow the growth of their business/organization.

GDPR says consent to use a person’s data in any way (including contacting them) must be “freely given, specific, informed, and unambiguous.” Users need to actively opt-in to receive communications from your organization. One example of this would be the option to select a checkbox or click a radio button. Avoid pre-ticked opt-outs.

Get explicit consent for all of the different ways you plan to use someone’s personal data. This includes asks being communicated differently, having separate opt-in checkboxes for email, SMS, Facebook ads, or telephone and linking out to an updated Privacy Policy and Terms of Service that explicitly state how data will be used.

Privacy is top of mind these days, so it is important that your organization is ready and able to fulfill a request to be forgotten. This right is also known as the right to erasure, which covers the part of the GDPR that considers data protection and storage.

While you may have consent to obtain and store personal information, people have the right to have that data erased. This however, isn’t a black and white rule. Both the person and the organization have rights that must be considered before any action is taken.

For example, if the data is no longer necessary for the purpose the organization originally collected for, the person has the right to have their personal data erased upon verbal or written request. On the contrary, the organization may deny the request or request a nominal fee to do so if the data serves public interest (and a long list of other reasons).

Be ready by keeping the following in mind:

Have different opt-in options for US and EU citizens:

Optimize EU opt-in formats:

Contacting your CRM provider will be helpful to better understand how user’s data is being stored and what changes you’ll need to make to become GDPR compliant:

Update your development process and workflow to better manage and ensure privacy:

Adhere to the Privacy by Design Framework and apply a procedural reminder to build the “7 user privacy principles” into the development of a product or tool.

Conduct comprehensive Privacy Impact Assessments (PIAs) at the beginning of projects. These are documents where you “discuss, audit, inventory, and mitigate the privacy risks inherent in the data you collect and process.”

With GDPR in full effect, your organization is only permitted to contact EU citizens on your lists who have given consent in a GDPR-compliant format. Most EU organizations have lost 30-70% of their subscriber lists as soon as the GDPR took effect. So, if you missed the May 25, 2018 deadline, there is still hope to get your subscribers back.

If you weren’t able to ask your subscribers to re-opt-in by the deadline and you are still communicating with them without their revised consent, it may be time to clean up your list to avoid being fined. It’s not too late.

Once you have cleaned up your list, you can start getting your supporters back. One effective way to do this is to offer engaging and useful content. Providing value to your supporters will encourage them to re-subscribe to your newsletter and give you their email and permission to contact them in exchange for a useful tool or resource. Save time and resources by starting with a content audit and repurpose with what you already have.

The best practice to ensure all the boxes are ticked is to perform an audit. This will help ensure that you have a high-level view of where your organization stands and what needs to be done. We all know how busy things are in the world of social impact. So if you need a hand, we’re here for you!

Briteweb offers GDPR Privacy Impact Assessments to help gauge the overall impact of GDPR on your organization. This includes an assessment of your website(s) and third-party platforms to:

If you’re interested in our support to become GDPR compliant (or simply want to learn more about what GDPR means for you), let us know by contacting us.