Nonprofit GDPR Compliance: 9 Items to Consider

Nonprofit GDPR Compliance

Unless you’ve been living entirely off the grid for the last few months, I’m willing to bet you’ve heard of the General Data Protection Regulation, or as it’s more commonly known, GDPR. And if you’re anything like the vast majority of folks in the nonprofit world, you probably have some questions about what the GDPR is and how it impacts your nonprofit. If the thought of GDPR compliance has been keeping you up at night, hopefully tonight you’ll finally be able to get some rest.

Before we dive in head first, I want to be clear we aren’t here to provide an in-depth summary of what the GDPR says. Instead, now that the GDPR dust has settled a bit, we’ve put together a list of items related to your nonprofit’s marketing that you can use to ensure you’re moving in the right direction when it comes to GDPR compliance. We’ll also share a simple tool we built that can help you use Google Analytics data to assess your traffic from countries in the European Union.

That said, we recommend you consult an attorney that’s familiar with the GDPR and how it applies to your nonprofit. We aren’t lawyers, and nothing we share in this post should be taken as legal advice. Speaking with an attorney will be your best bet to ensure total compliance. (Sorry, we had to explicitly say it.)

So What Is The GDPR?

The GDPR is a regulation that went into effect in the European Union (EU) on May 25, 2018. It’s meant to give people in the EU more control over their personal data and regulate the way organizations all over the world capture and store their personal data. This applies to a lot of common information nonprofits collect including names, email addresses, phone numbers, physical locations and payment information.

The whole idea is to bring more transparency to data collection, storage and removal. It governs not only how you collect personal data in the first place, but also how you handle that data once you’ve collected it. There are also details on removing that data if requested by someone in the EU.

For more on the background of the GDPR viewed through a marketing lens, here are a few articles we found really helpful:

Does My Nonprofit Need to Panic About GDPR?

Again, we’re not lawyers. But the short answer is while your nonprofit should take complying with the GDPR seriously, you likely don’t need to panic.

As you’ve probably heard, even if you aren’t in the EU, the GDPR likely applies to you. If you process or store the data of anyone in the EU (including donors, members or even just subscribers to your email list), you could be penalized for not complying.

However, it sounds unlikely your nonprofit would face a huge fine right off the bat. While the details aren’t entirely clear, it sounds like you’ll most likely get at least a warning first as long as you’re doing your best to comply.

To be honest, the GDPR really just formalizes many marketing best practices your nonprofit should already be following. Be honest with people about your marketing efforts and market to people that want to hear from you. Be responsible with the data you collect from your audience. Allow people to easily stop receiving your marketing if they’d like to.

Julia Campbell has a great post called “Don’t Panic: What Nonprofits Should Know About GDPR” that’s worth a read. (Plus she shouts out a post we wrote about Privacy Policies which is how we found her post in the first place.)

Should I Make These Changes Globally? Or Only Worry About EU Visitors?

We’d definitely recommend you make changes to your approach globally. As we said above, many of these changes are just marketing best practices anyway. Plus it could get really complicated to have different processes for EU visitors than you do for the rest of your visitors.

And everyone likes clarity and security.

Alright, enough background. Let’s dive into some specific actions you can take to ensure you’re moving in the right direction when it comes to compliance.

Nonprofits and GDPR Compliance

Below we’ll dive into quite a few different areas of GDPR compliance that are broadly applicable to many nonprofits, including:

You may have to adapt the nuances of some of them to make sense for your organization, but this list will hopefully serve as a helpful starting point.

Determine How Much EU Website Traffic You Receive

Regardless of where your nonprofit is based, or how much traffic you get from the EU, you should care about the GDPR. But realistically, if you get a ton of traffic from the EU, your risk is far higher than organizations that get next to no visits from countries in the EU.

To help you figure out how much traffic you get from countries in the EU, we put together a spreadsheet that you can use along with your Google Analytics account.

Download the GDPR Exposure Calculator

In order to calculate your traffic from the EU, do the following:

  1. Copy or download the spreadsheet by clicking the button above
  2. Export your geographical data from Google Analytics (below is a video showing you how to do that)

  1. Copy your geographical data from the file you exported from Google Analytics and paste it into the “Pasted Google Analytics Data” tab on the spreadsheet
  2. View your users from the EU on the “Traffic from the EU” tab

Since every organization’s situation is different, it’s tough for us to give a threshold you should look out for. But hopefully at least knowing how much traffic you get from the EU will help you make the case for updating your marketing to comply with the GDPR to the powers that be. Unless you get no traffic from the EU, you have at least some level of exposure under these new rules.

Outline the Personal Information You Collect

After determining the amount of traffic you’re receiving from visitors in the EU, your next step is to outline all of the personal information you collect from individuals. This will help you determine where you may need to make adjustments moving forward.

Start by answering the following questions:

  1. What information do we collect from donors/volunteers/event attendees/members? Where is it stored?
  2. Are there any resources that we make available in exchange for personal information (such as downloading a piece of research)? If so, what information do we collect and where do we store it?
  3. What does the process of subscribing to our email newsletter look like?
  4. For all of the personal information we’ve already collected, are we confident we’ve received explicit consent to have it?
  5. If someone wanted to know what info we have about them, would we reasonably be able to pull those details?
  6. Where are we storing personal information outside of our website? For example, do we use a donor management system or email newsletter platform?

Be honest with yourself here. It’s better to realize you have some ground to make up than pretend everything is fine.

Develop a Plan for Retrieving and Deleting User Data

Now that you know what data you’re collecting, it makes sense to develop a plan for retrieving that data if someone in the EU asks for it. If someone from the EU reaches out, you’ll need to be able to tell them the following:

  • What data you have from them
  • When and why you collected it
  • How you’ve used that data
  • Any third-parties you’ve shared their data with
  • If possible, the period of time you plan to store that data

Depending on the nature of the data and the ways in which you use it, it’s possible additional information will be required as well. But this is a solid starting point.

If the person requesting this info is from the EU and wants you to correct any inaccurate data or delete it completely, you’ll need to do so to comply with the GDPR. Thinking through what this could look like in advance will help you avoid any panic if you get such a request down the road.

Check Your Email Signup Forms

Email signups are one of the most common ways nonprofits collect data from website visitors. Given the global reach of the web, there’s a decent chance you have some visitors from the EU on your email list.

The bottom line here is you need to be collecting “explicit consent” from a subscriber before adding them to your email list. This basically means your visitor has to take a clear action to sign up. A couple examples of explicit consent include:

  • A user completes a form with the sole, stated purpose of adding them to your email list
  • A user fills out a form aimed at another purpose (such as becoming a member or downloading a report) and checks a box saying they’d like to join your email list (but this box can’t be checked by default)

This would also be a great time to consider using the double opt-in method to add subscribers to your email list. In this approach, users aren’t added to your email list unless they confirm their wish to be added by clicking a link you send them via a confirmation email. You don’t have to use double opt-in to comply with the GDPR, but it doesn’t hurt.

On the flipside, here are a few practices that you’d want to revisit in order to comply with the GDPR:

  • You add all event attendees automatically to your marketing email list after your Annual Gala
  • You automatically add a donor to your marketing emails without asking them to check a box during the donation process
  • You have a download form to access a piece of research on your site with a checkbox that says “Yes, I’d love to receive email updates!” which is checked by default
  • You buy a list from some shady guy standing on the street corner

If you want to dive into the details, here are links from two of the more popular email service providers out there:

Now is a great time to look over the forms you use to collect email signups and ensure they’re clear and require the visitor to take some sort of action to opt-in.

Consider Adding Groups to Your Email List

Having your email list broken into groups based on user type or interests has been a marketing best practice for some time. But under the GDPR, it’s more important than ever.

Breaking your email list into groups will help you make sure you’re sending subscribers the content they’ll expect to receive based on how they first got added to your list. For instance, if you have a group for your Annual Gala, you’ll easily be able to notify those that have registered if there’s a last minute announcement they’ll need to receive.

If you’re just getting started with email lists, check out our post “How to Organize Your Emails With a MailChimp Master List.” Even if you don’t use MailChimp, there’s a general list structure in there you can adapt to work well for you.

Rethink Your Emails to Specific Audiences

As part of your nonprofit’s work, you almost definitely collect a lot of email addresses. From donors and volunteers. From event attendees and members of your community that use your services.

Collecting email addresses is totally fine under the GDPR. You just need to be clear about how you plan to use them moving forward.

For instance, you’ll probably want to keep sending your donors email confirmations after they make a gift. But if you want to add all of your donors to your general marketing list, you’ll need to get their explicit consent before doing so. You could either have them check a box during the donation process stating they want to be added. Or you can send a follow up email to a donor inviting them to take some action (like updating their preferences) to join your general marketing list.

The specifics will need to be tailored to your organization and the way your email list is set up. But the days of just dumping in every email address you collect are a thing of the past.

Update Your Privacy Policy

One of the keys with the GDPR is to be more transparent about the types of data you collect, how you store it and what the process is for someone that has questions for you. But practically, you’re not going to spell out all of the details on each individual form on your website.

Instead, put all of the details in your Privacy Policy. Include things like:

  • What data do you collect?
  • Will you share the data you collect with third parties?
  • How do you plan to use the data you collect?
  • How long do you plan to store the data that you collect?
  • How can someone reach out if they have questions about the data you’ve collected?

For more tips, check out “How to Write a GDPR Privacy Notice” from IT Governance.

We also highly recommend you have your Privacy Policy reviewed by an attorney. They’ll be able to ensure you’re covering your bases with regards to GDPR compliance. (Just a reminder, we can’t give any legal advice since we aren’t lawyers.)

Confirm Google Analytics Data Retention Updates

Here’s a quick and easy win that may not require you to take any action at all. As part of getting GDPR compliant, Google pushed all visitors to update their data retention settings in Google Analytics. This setting gives you control over how long Google will store the individualized data it collects from visitors on your site (assuming you use Google Analytics). It doesn’t apply to many standard reports in Google Analytics which are based on anonymous, aggregated data.

If you took no action, your data retention period is most likely set to 26 months by default. You can choose between four different amounts of time, ranging from 14 months to 50 months. There’s also an option to never auto-expire this data. For most nonprofits, the default option of 26 months is plenty of data to work with.

We’d also recommend you make sure the “Reset on new activity” option is toggled to “On” so that if a visitor re-engages with your site, their expiration countdown starts over.

If you’re interested in learning more about data retention in Google Analytics, check out this support article from Google.

Update WordPress and Plugins

If you’re using WordPress, now is the time to make sure it’s updated to the most recent version (which is WordPress 4.9.6 as of the writing of this post).

The most notable changes to WordPress 4.9.6 related to GDPR compliance are:

  • A checkbox asking blog commenters to provide consent to store their information for future commenting
  • New tools for exporting or deleting a WordPress user’s personal data (if they request you do so)
  • A new Privacy Policy generator (although a Privacy Policy created and reviewed by a lawyer is still preferable)

There’s also been a flurry of plugin updates recently related to GDPR compliance, and it’s a pretty safe bet to assume this will continue for the next few months. If you don’t update your plugins often, this would be a good stretch to do so to help keep your nonprofit compliant.

If you’re using another content management system, we’d recommend you talk to your web developer about your site and see if you need to update to be GDPR compliant.

Don’t Panic, But Get Started

Hopefully, at this point, you have a pretty solid idea of how much website traffic you get from the EU and some immediate action items to get you started down the road to compliance. If you’re a bit behind on GDPR compliance, you aren’t alone. But now’s the time to get the ball rolling.

While we can’t provide specific legal advice in the comments below, I’d love to hear your experience thus far with GDPR compliance. Has your nonprofit found any resources that were super helpful? Or do you have recommendations for other nonprofits when it comes to jumpstarting their efforts to comply with the GDPR? We’d love to hear from you.