If You Haven’t Fixed Your Nonprofit Website To Comply With GDPR, Here’s How
This post was originally produced for Forbes.
You can download an audio podcast here or subscribe via iTunes or Google Play.
On May 25, the European Union’s General Data Protection Regulation went into effect. These rules effectively apply to almost every website operated in the world—including your nonprofit or social venture. If you haven’t figured out compliance yet, take a few minutes to read this article to learn how.
Let’s start by pointing out that for a small nonprofit or social venture, failing to comply with the GDPR rules could cost up to 10 million euro, almost $12 million. Just hiring a lawyer to defend a case brought by someone in Europe could wipe out all the funds you plan to spend on your mission for years to come. Have I got your attention now? If you haven’t fixed your site to comply, it’s not too late.
Amber Hinds, the CEO of Road Warrior Creative, works primarily with social entrepreneurs and nonprofits to build websites. Much of her work over the past two years has been preparing for the implementation of GDPR rules. She joined me for a live interview, which you can watch in the player at the top of this article, and provided additional information to help me understand the rules.
Hinds knows her stuff.
Amber Hinds, Road Warrior Creative
Angie Coleman, director of community for Lesbians Who Tech, uses Road Warrior for GDPR compliance work. She says, “Road Warrior Creative was instrumental in our compliance with the new GDPR rules. They were able to walk us through what was needed, help implement new changes, and oversee that everything was cohesive across our three brands. It was a huge help, especially as we waited till crunch time to make the changes.”
CJ Legare, chief of staff and faculty coordinator for Lean Startup Co, uses Road Warrior, too, and she agrees. “RWC gave us wonderful guidance and made sure we understood our options, so we could make informed choices”
If you are based in the EU, you are, of course subject to the new rules. Even if you are based in the US, or elsewhere outside the EU, chances are good the rules apply to you.
If you have a website that is intended for use anywhere in the EU, which still includes Great Britain and will include English-speaking Ireland even after Brexit, you are subject to the new rules. If you have people from the EU in your newsletter list, if you have accepted donations from the EU or sold products to people in the EU, you are almost certainly subject to the new rules.
Hinds offers this caveat:
Now, what I will say about this is that if you are a very small non-profit or individual or organization that is collecting, let’s say, just emails for a newsletter and you’re not expressly targeting people from the European Union–that is to say they might just find you via Google but you don’t have any information that is marketing related that is targeting that demographic–it is possible that it may not apply to you because those are incidental users.
While you’re reviewing your compliance with GDPR, consider your compliance with older EU regulations around cookies. Many sites have not been compliant and people have been using GDPR as an opportunity to get compliant with these rules as well.
Again, you are subject to the rules about cookies if you are physically based in the EU or if you target consumers in the EU. You might think that your site doesn’t use cookies, so the rules don’t apply to you but almost all sites do, whether you know it or not. All WordPress sites use cookies. Google Analytics uses cookies and most sites now incorporate Google Analytics. Again, chances are good you’ll need to comply with these rules, too.
To comply with GDPR there are three primary things you need to do.
Get consent to collect any personally identifiable information
Disclose to your customers the data you’re keeping about them
Forget everything about a person upon request
Getting consent prospectively is not terribly difficult. One key is to resist the temptation to require people to opt out of your lists or to automatically add them after doing business with you. To send marketing messages you must have permission. The best practice is a “double opt in” feature where you send each person who signs up a confirmation email that they must click to finally be added to your list.
What about all those email addresses you already have on your list? They have been gathered over years. You may not know or remember how those email addresses were gathered. Some people have chosen to send everyone who might possibly be in the EU—in some cases, everyone on their list, an invitation to proactively confirm they’d like to continue receiving their messages. Others have simply purged old names and email addresses for which they don’t have a clear record of how they were acquired.
Additionally, when a customer asks to know what information you store about them, you’ll need to be able to tell them exactly what you’ve recorded. When a customer asks to be forgotten, you’ll need to either purge all their data or anonymize it. You are allowed to keep information that is required for compliance with other record-keeping regulations in your jurisdiction, as may apply to financial and other transactions.
To comply with the old EU cookies regulations that so many of us have been ignoring, you are required to give people notice that your site uses cookies and provide a link to your policy about using cookies. To do this, most websites have chosen to create a popup bar at the top or bottom of the screen that summarizes the cookies policy and provides a link to the full policy
If you’re like me and you’re not a coder or web-designer like Hinds, this all sounds very intimidating. She pointed us to two affordable tools that will help you comply.
The first is the GDPR Framework WordPress Plugin. This plugin will integrate with most WordPress sites and will help you implement your GDPR compliance. One great feature of this tool is the price: free.
Another tool that is somewhat more robust but is still affordable is iubenda.com. This site is a legal compliance site that for an annual fee of $27 will help you get a legally compliant policy. Using a TurboTax-style process, it will help you build a policy that describes what you are currently doing. When you’re finished, they provide a snippet of code that you can install on your site to get compliant.
Even with these tools, the process may sound intimidating. For those with resources, firms like Road Warrior Creative can help you. For those with limited budgets, investing the time to figure this out is worth the effort it requires.
As Hinds says of these rules, “I just think this is good customer service. When you provide people with information about the data you’re using, you’re collecting on them and why you’re collecting it or say that you have cookies on your website and you’re transparent about that, I think people generally are going to appreciate that.”
Click here to get my free webinar showing the three myths that hamper and the two keys for nonprofit crowdfunding success.
Never miss another interview! Join Devin here!
Devin is a journalist, author and corporate social responsibility speaker who calls himself a champion of social good. With a goal to help solve some of the world’s biggest problems by 2045, he focuses on telling the stories of those who are leading the way! Learn more at DevinThorpe.com!
The post If You Haven’t Fixed Your Nonprofit Website To Comply With GDPR, Here’s How appeared first on Your Mark On The World.