So much has happened this week in terms of privacy rules and regulations!
If your inbox is anything like mine, it has been inundated and overflowing with businesses and organizations sending updated privacy policies, in order to comply with GDPR, which goes into effect today.
In this video, I briefly cover GDPR, what it is, and the implications for nonprofit marketers and fundraisers around the world, even if you aren’t located in the UK.
The Information Commissioner’s Office in the UK is the best resource for up-to-date info on GDPR.
The ICO is the UK’s independent authority, “set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.”
What is GDPR?
The General Data Protection Regulation (GDPR) is a new, Europe-wide law that replaces the Data Protection Act 1998 in the UK.
It is part of the wider package of reform to the data protection landscape that includes the Data Protection Bill.
The GDPR sets out requirements for how businesses, companies, and nonprofits will need to handle “personal information” going forward, and it goes into effect today (May 25).
What qualifies as “personal information”?
The ICO lists “personal information” as the following:
- Email addresses
- IP addresses
- Identification numbers
- Biometric identifiers (fingerprints, iris patterns, DNA)
- Physical or physiological attributes
- Medical/health information
- Website cookies
To break it down in simple terms, the GDPR stipulates that a person must explicitly agree to be put on your promotional email list.
Just because they attended an event, made a donation, signed a petition, or downloaded a white paper – that is NOT enough to qualify as consent to email.
This also applies to your CURRENT email subscribers and database, not just future subscribers.
Hence all of those emails asking you to opt-in again, and the widespread changes to privacy policies.
What the GDPR is not
In my research for this video, I kept finding articles that would terrify any well-meaning but small nonprofit who wants to comply with GDPR – fines of 10 million Euros, 2% of annual revenue, etc.
However, as the ICO has repeatedly said, this law is not about fines.
It’s about putting the consumer and citizen first.
“Issuing fines has always been and will continue to be, a last resort.”
Is it time to panic?
I am in the court of opinion that the GDPR is a good thing.
It is about putting consumer and citizens FIRST.
It means we will have more control over our information and personal data.
It also means that as marketers, we will spend less time shouting into the void at people who have no real interest in our work.
I completely agree with Seth Godin’s take on this (shocking, I know):
“Talk to people who want to be talked to.
Market to people who want to be marketed to.
Because anticipated, personal and relevant messages will always outperform spam.
And spam is in the eye of the recipient.”
What can nonprofits do?
Check with your legal counsel first and foremost!
There are a few other things that your nonprofit can do to ensure that you are compliant:
Ultimately, to be added to your email list, a person must specifically and affirmatively agree to be added to your list.
You may not automatically add them just because they downloaded a paper, attended a webinar, signed a petition, or even made a donation.
As always, we have to sell people on the value provided by being on our email list, and then get their consent. (This was a best practice way before GDPR.)
The new consent standard applies to your EXISTING list. As of today, you cannot email your existing contacts who live in the UK who have not given explicit consent.
The ICO recommends that “the information you supply about the processing of personal data must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.”
Don’t use legal jargon. Write in plain English that a fourth grader could understand.
Wired Impact suggests including the following pieces of information:
- What information are you collecting from visitors?
- Can this information be used to identify individuals or is it aggregated and anonymous?
- How will you use this information?
- Who will be able to access this information?
- Will you share this information with any other parties?
- How will you protect their information?
- How will you notify visitors of changes to your policies?
Resources for Writing Privacy Policies
Nonprofit example generously shared from Second Story (thanks Abigail!)
Nonprofit example from World Pulse
12 Steps to Prepare for the GDRP – ICO
Of course, I am not a lawyer and I am not qualified to give out legal advice.
However, I am a passionate permission marketing evangelist. If you have questions about GDPR or nonprofit marketing, be sure to join the private nonprofit Facebook Group!
Request access here.
Want to learn more about how your nonprofit could use Instagram? Get the Ultimate Guide to Instagram for Small Nonprofits!
Get this free e-book and you will receive:
- Updated information on Instagram and the rising popularity of the visual social network;
- A step-by-step guide to setting up your nonprofit with free Instagram Business tools;
- A complete run-down and review of 10 specific ways to use Instagram to raise money and awareness for your cause - with real-world examples!
I provide you with all the tips and secrets that I use in my business and with my nonprofit clients, to get them results using Instagram! Sign up now to secure your spot!
Thanks for this. Since the UK is no longer part of the EU, is the ICO in the UK still the best place to go for GDPR information?
Also, how do we go about setting up a system asking people to reopt in to our email list and how do we set our system up to get explicit permission from people we would like to add to our list or those who choose to subscribe when they visit our website.
ICO is the best place, since Brexit doesn’t go into effect until 2019. How you choose to get people to re-opt-in depends on your brand strategy, your email provider, how many people from the EU are on your list, your segmentation tactics, and many many other factors. I recommend going to the ICO website for more details and specifics.
GDPR is not just about privacy issues with regard to data collection and storage but also about protection of the data from breaches of security. And all that is understood. I also understand that most of GDPR relates to the data collection of information about citizens or residents of the European Union, Iceland, Lichtenstein, or Norway.
What if, a nonprofit organization, researching potential donors within the USA, finds contact information on an individual who is ALSO a citizen and/or resident of the EU or the other countries listed above? How can it be known that these people are also citizens or residents in those countries?
If one sends a solicitation email to any of these people, as long as the email contains an opt-out method, is that enough? Many of the worlds wealthiest individuals are multi-nationals, but that fact is not always known, evident, or obvious.
They don’t have to be citizens, they can simply reside in the EU and their data falls under GDPR. I recommend going to the ICO website for more detailed and specific information.
Again, I am concerned about how this will be ENFORCED. Residency or citizenship of multi-nationals is not innately evident. If I do research on a potential donor for an organization in the USA, and I am using USA based data sources, we can for sure assume that the individuals whose information I am able to find in those data sources are either residents or citizens (or both) of the USA. However, if they are multi-nationals, with residency and/or citizenship in countries covered by the GDPR — that information is not readily available. And IF we want to ATTEMPT a connection with them using the information discovered in the USA-based source(s), and it turns out that they are multi-nationals — we are then in breach of GDPR. But without DISCOVERY of this information, there can be no way we can KNOW that they are, indeed, multi-nationals. If perchance, we do approach a multi-national individual, who is a USA resident and/or citizen, AND that individual is ALSO a citizen and/or resident of a GDPR country — then I assume that individual COULD make problems for us. I do not foresee this as a BIG problem, but all it takes in ONE nasty minded individual to bring down an organization….