A Guide to GDPR for Associations, Nonprofits, and Other 501(c) Organizations
- David DeLorenzo
- April 30, 2018
The deadline is looming for the EU’s General Data Protection Regulation—better known as GDPR—aimed at protecting data privacy. That makes now a good time to examine what your organization can and should be doing to protect user data. To allay some of the fears around GDPR compliance, and to simplify what some view as an insurmountable task, I’ve put together this guide to GDPR for associations, nonprofits, and other 501(c) organizations.
At first blush, GDPR is daunting.
There are countless new terms to learn—data controller, data processor, data protection officer. And new policies to deal with—right to be forgotten, right to portability of data, right to not be processed. But the biggest question I get about GDPR is, “How will it really affect the day-to-day business operations of my organization?” The answer depends on your specific business operations, but let’s break it down.
What Associations and Nonprofits Need to Know About GDPR Compliance
GDPR is the latest regulation in the continued path toward a permission-driven economy. The intent of GDPR is not to stop organizations from communicating with their customers. Rather, GDPR puts the customer in the driver’s seat—and the task of complying with this regulation directly on organizations and the many partners supporting them. While GDPR originated in the EU, the recent incident involving Facebook and Cambridge Analytica has heightened awareness here in the United States.
Consent is the crux of GDPR.
Data has become one of the most valuable commodities in the world. The fortunes of Facebook, Netflix, Google, and many others have been built around their ability to collect, process, and use data to deliver services—and to collect additional revenue by sharing that data.
But here’s what this new data-driven world fails to acknowledge: the customers’ personal data actually belongs to them, not to your organization. You don’t own their data. It’s not yours to do with it what you will or share it with whomever you like.
Under GDPR, any processing of personal data for marketing and sales requires consent from the customer. That consent needs to be specific, informed, freely given, and unambiguous. It also has to be given by clear, affirmative action—the user has to actively opt-in.
The conditions for obtaining consent are stricter under GDPR than under existing requirements. Customers have the right and must have the ability to withdraw consent at any time.
What does GDPR-compliant consent look like?
The common interpretation of GDPR is that consent will not be valid unless separate consents are obtained for each different processing activity. Think about that—think about the data your association gathers during the registration process for your annual meeting. You may need to be explicit that it will only be used for the purposes of that meeting, not later on to market an unrelated webinar or service. This fundamentally changes the way you build prospect lists for membership, programs, etc.
Under GDPR, you have to be able to prove that your customers agreed to a certain action—to receive a newsletter, for instance. It is not acceptable to assume they would want it, or to add a disclaimer, or to provide an opt-out option after the fact. If they didn’t request it, don’t send it.
Associations and nonprofits will have to change the way marketing and sales activities are managed. Staff will have to review business processes, applications, and forms to make sure they’re compliant with double opt-in rules and email marketing best practices. For example, to receive sales and marketing communications, prospects will have to first fill out a form or check a box and then confirm that action in a follow-up email—a form of double opt-in that’s already standard practice for some organizations.
If someone objects to receiving a communication, the organization housing the data must prove that consent was given. Any data stored in your systems needs a time-stamped audit trail containing the details of what your members opted into and how. This is a tremendous challenge for associations and nonprofits without the assistance of their partners, specifically their AMS or e-marketing platform providers.
The focus on data privacy has never been sharper.
Many people are still under the impression that GDPR is just an IT issue, but that is far from the truth. GDPR has sweeping implications for your entire organization, including the way you handle marketing, sales, customer service, and the many other activities where you are collecting and storing data. Let’s take a look at marketing, specifically.
Marketing Your 501(c) Under GDPR
Since marketing is so critical to revenue growth for 501(c) organizations, you must understand how GDPR will affect marketing operations.
Marketing—the biggest consumer of technology in most organizations—understands how to put massive amounts of data to good use. Data analytics provides valuable insights into people’s online behavior and interests, thereby allowing organizations to use highly-targeted marketing methods to reach their customers/members. This ability to process so much data is driving many organizations toward marketing automation.
Another widely-used practice for sales and marketing teams is purchasing email lists. If your organization still uses this approach to build prospecting lists, you should be aware that, under GDPR, you are responsible for obtaining proper consent, even if you did not collect the original data.
I also see situations where organizations conduct member referral programs, sometimes called member-get-a-member, where a member enters someone else’s personal data into your system without their consent so you can market membership to them. This practice will need to be revised or discontinued.
Of course, marketing and sales are not the only departments collecting and using data. Many organizations with customer call centers record customer chats, phone calls, etc., which likely contain personal data. Members will have to give their consent before you can record and store any such information. Even then, data privacy forces you to think through how the recordings or chat logs are stored, for how long, and who has access to them.
You have all kinds of data—and you’re storing it everywhere.
GDPR raises questions about how organizations collect data and what kinds of data they collect. Does your organization really need to know every piece of contact information a member might have, and every demographic piece of data, just to attend an event? Where will this data be recorded and how will it be used? In light of GDPR, associations and nonprofits need to address these questions thoughtfully.
You have data everywhere. If you use Excel to analyze customer data or compile customer lists for processing, those files probably contain personal data. Do you have any idea how many such files exist in your organization? Frequently, they sit on someone’s laptop and you don’t even know they’re there—raising serious questions on whether these files and the information they contain are properly protected. While these practices may not be part of official GDPR compliance audits, I strongly recommend including them in your data audits.
Associations and nonprofits must put privacy first.
What’s the best thing your organization can do to ensure data privacy? Develop a policy of “privacy by design.” Privacy must become an integral part of your business. Establish data protection safeguards in products and services from the very start, not as an afterthought, and strengthen contract language around data privacy.
Start by mapping your data and determining areas of risk. Thoroughly review all your vendor contracts and add language to new contracts to ensure you have the contractual rights to insist on data privacy and breach notification policies.
There’s a silver lining to GDPR.
Compliance with GDPR should lead most organizations toward better data quality. GDPR presents you with a golden opportunity to better locate and understand your data, learn what your members/customers want from you, and provide a refined personal experience, rather than the traditional one-size-fits-all approach.
The principles behind GDPR are really quite simple:
- Don’t contact someone unless they specifically ask to be.
- Don’t assume they want to hear from you.
- Don’t cold contact them.
- Don’t send them information they didn’t request.
Associations, nonprofits, and other 501(c) organizations that adhere to these principles are on the right path toward GDPR compliance. You will build trust and loyalty with your members if you value their right to data privacy, are transparent about how you use the data you collect, and are focused on data privacy by design as you build or buy systems to manage data.