If you work for a US not-for-profit and you’ve never heard of GDPR — the EU’s new data protection regulations coming into force on 25 May — you’re not alone.
While EU organisations have been gearing up for the new regulations for months, it’s not widely understood that GDPR actually affects companies and not-for-profits in the US too.
That’s because any organisation that collects the data of EU citizens is subject to GDPR rules, even if you don’t have a physical presence in the EU. This might sound far-fetched, but falling foul of the regulations means you could face a hefty fine — and anyway, GDPR covers some best practises that might benefit your organisation. So here’s a quick introduction to what the regulations mean for you and what actions you need to take if you want to keep contacting your EU supporters (or what to do if you decide it’s not worth it).
Before you start: we’re not lawyers or experts on GDPR, so you shouldn’t treat this as proper legal advice. The following is taken from our practitioners’ understanding of the regulations and our work helping UK and US-based organisations prepare for it over the last year or so. There is a huge amount of in depth information out there to read, and we’ve included a link at the bottom of this article so you can go into more detail. But if you think your organisation might be subject to GDPR, the first thing you should do is get proper legal advice.
Is my organisation subject to GDPR?
In short, if you do business in Europe or collect data from European citizens, the answer is yes. On a practical level, any of the following will mean you’re subject to GDPR:
- You have people on the EU on your email list or in your supporter database
- You have signup forms that allow users to specify they’re from another country or enter a non-US address
- You have donation forms that allow people to donate from another country or in a European currency
If you meet any of these criteria and decide it’s valuable enough to you to able to keep in contact with your EU supporters longer term (more on that in a bit), here’s what you need to be doing over the coming few months:
1. Make sure your opt in format is GDPR compliant
GDPR says consent to use a person’s data in any way (including contacting them) must be “freely given, specific, informed, and unambiguous.” In practice, that means users need to actively opt in to receive communications from you (e.g. by ticking a checkbox or selecting a radio button) — so no more pre-ticked opt outs or “By signing this you consent to email” disclaimers.
You also need to get explicit consent for all the different ways you’re going to use the individual’s data. In the past, for example, organisations may have just asked prospective supporters “Are you happy for us to keep in touch?”, and taken that as consent to contact them through as many channels as the organisation wanted — e.g. email, SMS, telephone, Facebook ads etc. Under GDPR, you need to allow users to individually consent to each use of their data — i.e. separate checkboxes for email, SMS etc., as in the example below:
In practice, there are two big considerations for US organisations here:
- You need different opt in formats for US and EU citizens. Most likely, you don’t want reduce opt-in rates your forms for US citizens by forcing them to go through GDPR-compliant opt ins. That means rebuilding your forms so that you show US and EU citizens different opt-in asks (this could be done automatically using IP address, for example)
- You need to optimise your EU opt-in formats. The most commonly used opt in format — an unticked checkbox — has routinely delivered awful results when we’ve tested it, with opt in rates typically only 10–15%. Simple Yes/No radio buttons tend to deliver 30–40% opt in and so should be your default starting point, but it will take time and systematic testing to work out which format and language deliver the best results for your organisation (If you want to discuss any pointers on where to start on this, get in touch here.)
2. Re-opt in your EU supporters as soon as possible
This is an important one. Once GDPR comes into force on 25 May, you will only be able to contact EU citizens on your list who have given you consent in a GDPR-compliant format. In practice, that means you need to contact your EU supporters to re-opt them in before 25 May. Once 25 May comes round, you will have to unsubscribe anyone who hasn’t given you renewed consent to contact them (and potentially delete their data too — that’s one to ask your lawyers). It’s likely a big chunk of your EU supporters won’t re-opt in and will need to be unsubscribed (EU organisations are expecting to lose 30–70% of their lists overnight because of GDPR).
3. Talk to your CRM provider about how your data is being stored
GDPR sets new requirements for how data should be stored. A lot of this will require action from your CRM provider, so the first thing to do is check what their plans for GDPR are. Here are the key considerations:
- You need to store a record of consent for each constituent. Just being in your CRM isn’t enough — you need to have a separate field that details when consent was given and to which uses of the individual’s data.
- Consent no longer lasts forever. GDPR specifies that consent is time-limited; i.e. it runs out after a certain amount of time, at which point you have to stop emailing/SMS-ing etc. There is no set time frame for how long consent lasts, however — it is up to each organisation to set this on the basis of what is ‘appropriate’ (although the ICO recommends refreshing consent every two years). In practice, this means your CRM needs to be able to a) notify you when an individual’s consent is nearing expiration, b) allow you to send them a (preferably automated) series of communications to renew consent, and c) unsubscribe them/delete their data automatically if they don’t re-opt in.
- Individuals will have the right to ask you to delete their data, not just unsubscribe them. So, again, your CRM needs to have the functionality that allows you to delete a supporter’s data permanently.
- Supporters need to be able to withdraw specific, granular pieces of consent at any time, (e.g. so I can say “I still want emails but you can’t target me with Facebook ads anymore”). The easiest way to do this will be through a signup form that updates consent settings (using email address or phone number as the unique identifier), but check your CRM is set up to enable you to do this.
4. Update your development processes
This article provides an excellent and in-depth guide to how GDPR affects web development. If your organisation does any web development itself (or works with agencies to do so), I’d suggest reading it. Here are bullet-point summaries of the two main considerations (it’s also worth reading about ‘Privacy by design’, a process for planning and executing development projects will help you avoid falling foul of GDPR):
- You need to do Privacy Impact Assessments (PIAs) for every development project. These are documents where you “discuss, audit, inventory, and mitigate the privacy risks inherent in the data you collect and process.”
- Developers must be trained in understanding GDPR. This should also be extended to anyone who works with supporter data, such as email campaigners.
5. Ask yourself: Is it worth it?
There’s a lot of good in GDPR. At a time when the need to robustly protect personal data is becoming ever more urgent, GDPR strengthens and modernises decades-old data protection legislation. However, there’s no avoiding the fact that it adds costs and administrative burdens to your digital programme, as the list above demonstrates.
It’s likely that, for most US organisations, these costs will outweigh the benefits being able to recruit and contact EU supporters. In most cases, US organisations will only have a small number of Europeans on their lists who are, in results terms, worth only a small amount to your organisation.
If you think this might apply to you, here’s what you should do:
- Start with a mini data audit, working out exactly how much EU supporters are worth to your online fundraising and mobilisation programmes. Balance this against the cost (and hassle) of implementing GDPR-compliant technology and processes.
- If you decide the cost of GDPR compliance outweighs the benefits, delete all the data you hold on EU citizens before 25 May.
- Finally, set up forms that make it clear you only intend US citizens to sign up. In practice, the easiest way to do this is to require users to specify a US zip code (Forbes has some helpful clarification on what counts as not ‘targeting’ EU citizens).
The UK Information Commissioner’s Office guide to GDPR is the most comprehensive set of advice being used by UK businesses and not-for-profits. All their GDPR resources are here — we’d recommend this FAQ as a good place to start.