What is GDPR?

The General Data Protection Regulation (GDPR) is a new digital privacy regulation that will take effect on May 25, 2018. It standardizes a wide range of different privacy regulations across the EU that protect EU consumers’ privacy and gives them greater control over how their data is collected and used.

How Does This Policy Affect You?

The new regulations are mainly targeted at businesses that collect consumer information from people living in the EU. However, if your organization or company markets and/or collects information from anyone in the EU, you are required to follow the GDPR regulations. The fines associated with being non-compliant with GDPR are aimed at larger businesses with over 250 employees. However, any business or organization that “processes” personal data is responsible for being GDPR compliant.  Given that your organization may have some EU nationals on its email list, may acquire a subscriber in the future, or may have an EU national visit your site, it is important to make your sure your digital presence is compliant with the new regulations. Additionally, the United States may enact similar laws in the future, so now is a good time to be proactive about this measure.

What Data Does the GDPR protect?

The GDPR protects uniquely identifying information such as:

  • Email addresses
  • IP addresses
  • Physical device information such as a computer’s MAC address
  • Individuals’ home addresses
  • Dates of birth
  • Online financial information
  • Online transaction histories
  • Medical records
  • User-generated data such as social media posts (including individual tweets and Facebook updates)

What Steps Should You Take

The GDPR states that organizations and companies must provide EU nationals with clear, easy-to-understand opt-in processes that clearly state how users’ data will be stored, analyzed and used. To be compliant, we suggest the following steps:

1.) Update Your Privacy Policy

We recommend adding additional language to your privacy policy that explicitly states how you are using users data. Below is sample language for your internal team to review. Once approved, we recommend updating your website’s privacy policy accordingly.

Privacy Policy

Our Services may also use cookies and pixels. Cookies are small text files that are stored on a user’s computer and allow websites to remember information about users, such as their geo-location. Pixels record if users have completed a certain actions on the site. We use technologies, such as cookies and pixels, to customise content and advertising, to provide social media features and to analyse traffic to the site. We also share information about your use of our site and your email address with our trusted social media, advertising and analytics partners.

If you would prefer that we not collect information that may be used to help determine which advertisements to serve you can opt out or change your behavioral advertising cookie preferences by visiting the opt-out page for the Digital Advertising Alliance (U.S. residents and those not in the EU or Canada), the European Interactive Digital Advertising Alliance (EU residents), or the Digital Advertising Alliance of Canada (Canadian residents).

2.) Communicate your new privacy policy via email

After your policy is updated, we suggest sending an email to your entire email list to notify them of the changes. We recommend this be its own email message, rather than a part of an upcoming newsletter.

Note: Some tools, such as Mailchimp, have created GDPR consent campaigns that allow you ask contacts to opt-in to your new marketing permissions. While we recommend moving forward with a simple privacy policy email, you may choose to send a consent campaign to all email contacts asking them to update their information and opt-in again.

Sample Email Message:

We have updated our Privacy Policy to make it easier for you to understand what information we collect and why we collect it. The main changes bring these policies in line with the EU’s new General Data Protection Regulations, which aims to keep your data safe. Although we’re taking these steps to update our privacy policy, it’s important to note that nothing is changing about your current settings or how your information is processed. Rather, we’ve made our practices easier to understand to promote transparency around data collection.

We encourage you to read our updated Privacy Policy (LINK HERE). Other than that, there’s nothing you need to do right now.

3.) Update your website’s opt-in forms if needed

Under the new regulations, users must actively accept all forms of data collection. For instance, if a user is completing a donation form or signing a petition, they cannot be signed up for your newsletter by default. The form or petition in question must have a checkbox that users can actively click (the box cannot be pre-checked), signaling that they have agreed to be added to your email list.

In addition, all email capture forms must have a separate checkbox where users can actively accept the Privacy Policy of your website.

If your website and forms do not already comply with the above requirements, then you must update your website.

In addition, if you have acquired email addresses in a way that was not GDPR-friendly, you’ll need to collect consent from those contacts (example: a purchased email list). To do so, send an email to anyone on your list that does not comply with a link to update their settings.

Additional Resources

If you’d like to learn more about GDPR and see examples of how other companies are incorporating these changes, we suggest reviewing these resources: