Do you run an Association and/or Non-Profit 501(c) organization? At Nicely Done Sites we have worked with many of these organizations to help build their websites so that they can further their mission. If you are one of these organizations, are you in compliance with GDPR? If you are not, you should be.
But Isn’t GDPR Only For Europe?
The General Data Protection Regulation (GDPR) was implemented by the European Union in 2018 to control how European companies and foreign entities that do business in Europe handle customer data. So of course you are asking what does this have to do with your non-profit, which does no business with Europeans, is not based in Europe and is unlikely to ever be.
It is quite simple.
GDRP gives citizens control of their data and manages what companies do with that data. The idea of this kind of regulation is very appealing to the average consumer, especially in today’s age of data breaches and underhanded dealings of social media companies. The idea is sure to be copied and several US states are already crafting similar legislation.
What Do I Need To Do With My Data?
GDPR is pushing to give consumers control of their data. The information on that person is theirs and not the company’s or organization’s to do with what they want. This information is very valuable. It is used to generate a profile on a customer to tailor ads to them, to try to learn their habits or just to package and sell to other companies.
Under GDPR any data acquired from a customer for marketing or sales purposes requires the customer’s consent for it to be collected and used. The customer has to clearly and definitively opt in to any collection and this must be recorded in the company’s records both how and when they opted in. Customers also have the ability to withdraw this consent at any time.
Customer Consent Is Key
This means that for a customer to receive your non-profit’s email marketing campaign, your newsletter, or any communication from you they must opt-in to receive it and in many cases must opt-in again via a followup email. Any information gathered during the registration process must be explicitly explained what it will be used for.
And you have to stick to that.
GDPR Is A Fundamental Change To What You Do With Data
This means that any marketing and sales activities and processes will need to be overhauled. New business procedures, applications and forms will need to be created. It is an all-encompassing change that affects your entire organization, not just your IT department.
For some this could be a major change. Many non-profit and 501(c) organization rely on data for marketing campaigns. They use massive amounts of data and analytics to provide insights and to target new customers or members. This data can be gathered from existing members, from surveys or you might have purchased customer information from another company or organization. If you do the latter, you need to be aware that GDPR requires you to obtain customer permission to do this and to send them information.
These regulations change how you obtain information and what you can do with it.
How Much Data Do You Have?
How much customer data do you have? It could be quite significant and it could be all over your system. Do you need all of it in the first place? You might also have some of it on your own computer (or on other computers) and you might not even know it. You should. GDPR requires that these files be identified and secured to prevent data theft. Not everyone in your organization may need to have access to customer information and if that is the case they should not have access to it. This is not a new concept and this lack of control was responsible for a massive data breach at Target in 2013.
GDPR is all about data privacy. Don’t forget as well that a recrafting of your privacy policy will need to be done to reflect your new data policies. If you need to craft a new privacy policy consider using our friends at Termageddon.
Why This Matters
GDPR may be a European law and it may not apply directly to you or your organization. If you ignore it, the EU will not be coming for your non-profit with a fine in hand but at the same time consumers are becoming more aware of their data privacy here in the US. Companies and non-profits that treat their customers or members information with care will have a better public reputation and will be more likely to have people want to work with them and do business with them. It is an easy way to build trust and loyalty.
Well maybe not easy, but the winds of change are blowing when it comes to data privacy. As mentioned earlier, several states are crafting their own, similar legislation and there is a very good chance that something along the same lines could become law here in the US in the near future. When something works government bodies tend to be copycats. Many of our largest companies have already made themselves GDPR compliant so much of the work has already been done. That leaves smaller organizations like non-profits to become compliant.
Work To Be Done
You may have a lot of work that needs to be done to reach compliance. Your website may need some serious work done on it to reflect any changes (while you’re at it, is your website ADA compliant? If it isn’t this is a good time to do so). Your organization may need to completely change how it does business and certainly some best practices will need to be changed. While there is no clear direction from the federal government there is a framework that is already in place to follow.
It is a lot of work that needs to be done but it will need to be done at some point. Proper data privacy practices can help to build loyalty and confidence in your non-profit or organization, which can help you in the long run and generate positive PR. That can only help your organization to further its mission but if data privacy is ignored you might find that no one wants to give to your non-profit or organization. That will help no one in the end.