The GDPR is a set of directives for protecting the privacy of personal information that was recently enacted into law by the European Commission, and which will go into effect on May 25th, 2018. The law applies to all citizens of the European Union – and, by extension, to any organization that interacts with citizens of the EU in any way. So if you could somehow be completely certain that none of your past constituents or website visitors were EU citizens, and prevent EU citizens from accessing any of your on-line resources going forward, you might not technically be subject to GDPR enforcement. But since that kind of exclusion is effectively impossible to either implement or demonstrate, it’s a fair assumption that pretty much every organization is now subject to GDPR requirements.
To be fully compliant with the GDPR, you can no longer track any data about constituents, visitors to your website, or anyone else without their explicit, opt-in consent for the specific things you intend to do with their data. That is, you have to explicitly spell out exactly what information you are collecting, what you intend to do with the information you collect, and get explicit, granular consent to do that from everyone you are collecting data from. Examples of things you might do with personal information (and which you’ll need to explicitly tell your constituents/site visitors that you are doing to be compliant with GDPR) are:
- Retain names, emails, phone numbers, and event participation records in a CRM to keep track of how people have interacted with your organization over time
- Store names and emails in a tool like MailChimp, and use them to send periodic emails containing updates on your organization’s work
- Store names and addresses for the purpose of sending out periodic newsletters, and/or end-of-year donation summaries
- Retain giving history information to keep track of regular donors, and provide periodic reminders to donate to folks who haven’t donated in a while.
What all of this means, in practical terms, is:
- If there is any tracking code on your website (such as Google Analytics) that tracks visitors' IP addresses, you either have to remove that tracking, or put an advisory on your website that tells visitors that their activity is being tracked and the purpose for which it is being tracked, and which compels them to click some sort of acknowledgement button before proceeding.
- All of your webforms need to be made explicitly opt-in, such that if someone fills out any of your forms, but does not check a box explicitly asking to be added to a mailing list, none of their personal information will be retained. You will also likely need to add language to all of your forms telling people why you are collecting the information being requested, and what you are going to do with it.
- Perhaps the most unpleasant effect of GDPR is that if you have a constituent database that contains information on people who did not originally give their full opt-in consent for you to use their data for specific purposes, you are technically obligated to go back and either secure affirmative consent for all the people who haven't give you their consent, and/or promptly remove all information associated with people who don't have affirmative consent records on file.
To make these guidelines more concrete, here are a few examples of how you might change a website to make it compliant:
There's a lot more in the GDPR than what we’ve mentioned above, -- including mandates to provide access to and/or delete all data you’ve collected on someone upon request -- but we’ve tried to call out the biggest changes you'll likely have to make in the short-term. You can set up a time to talk through specific questions with Tech Impact’s Security Team by using this link.