The Impact of GDPR on Nonprofit Websites

You may be wondering, “What exactly is a GDPR?” That’s a good question. GDPR stands for General Data Protection Regulation and explaining it is a bit tricky. But worry not, as we’re here to help you understand.

In May of 2018, the GDPR required organizations that had business ties to the European Union to begin using the GDPR regulations. If the parties did not comply, they would face severe fines. However, the new data privacy rules can be difficult to untangle, even for experts in the field.

In a nutshell, the new regulations are aimed at building trust by improving data security. With GDPR compliance, people can be sure they are in control of their personal information. GDPR is part of a global shift towards protecting individuals’ personal data.

Danny Palmer, writing for ZDNet, noted that “these days, just about every aspect of individuals’ lives is centered on data. Most every service we use collects and analyzes our personal information. That includes your names, addresses, social security numbers, credit card numbers and much more.”

Any online business operating in the EU must abide by GDPR rules, as will any organization outside of EU that offers goods or services to EU customers or companies. As we’re living in a global economy, now is the time to start thinking about your GDPR compliance plan, if you haven’t already.

GDPR for Nonprofits and Mission-Based Organizations

As many of our nonprofit and mission-based clients have global operations, GDPR compliance is vital. Fortunately, it’s not rocket science and the basic requirements are not difficult to understand:

• Attain user data honestly, clearly, and not from a third-party
• Ask only for data they actually need
• Use gathered information for the purpose it was given
• Keep user information as updated and accurate as possible for the duration they need it
• Transfer and keep user data in a secure manner

If any organization collects data of EU residents, it is subject to GDPR, thus it’s important to understand the definition of personal information.

In the US, we call it “personally identifiable information” (PII) and it includes information such as social security number, mother’s maiden name, biometric record, name, and date of birth. The GDPR broadens the definition to “any information relating to an identified or identifiable natural person.” According to Tal Frankfort of Forbes Magazine, it’s imperative that organizations comprehend the following tips:

• Understand that the information may come from volunteers, donors, constituents, vendors, or supporters of your cause.
• Teach that data does not have to be related to financial transactions.
• Train everyone in your organization regarding GDPR regulations. That will include your IT department, those responsible for data protection, fundraising, and marketing departments.
• Change your website privacy policy to ensure it includes explanations of the data you collect, how it is used, how it can be removed.
• Use a customer relationship management (CRM) application to keep your lists organized and keep track of individuals who have revoked consent.
• Separate consent requests from other terms and conditions.
• Where EU residents are concerned, do not preselect the opt-in box on a form and consider it to be consent. It must be active and freely given.
• Keep track of what was told to the individual at the time of consent and record any approval that is revoked.
• Confirm opt-in statuses to ensure that individuals want to be on your list.
• Keep EU residents’ personal data just for as long as it is needed and only for the purpose for which it was collected.
• Stay alert to all changing legislation and create a process to continuously evaluate your compliance efforts.
• Review contact lists often.
• Avoid purchased lists.

GDPR and WordPress

WordPress is the most popular CMS by a wide margin and is often used to power nonprofit websites. As such, it’s imperative that WordPress sites achieve GDPR compliance. WordPress is currently focused on the following:

• Adding functionality to help writers create comprehensive privacy policies for their domains.
• Teaching site owners how plugins are necessary for GDPR readiness.
• Developing administration tools to produce compliance and support user privacy in general.
• Offering documentation to teach owners about privacy, the main compliance areas for GDPR, and how to use new privacy tools.

Is it too late?

The sooner organizations begin working toward compliance, the better. The deadline for complying has already passed, so catch up now, and your business will be better prepared for the future. The good news? As a result of becoming GDPR compliant, you will increase trust amongst your users.

Even though WordPress has privacy policies in place, the GDPR puts more restrictive guidelines and constraints in their regulations. What has WordPress put together already?

• A new postbox added to the Edit Page screen. Plugins will be collected there along with added privacy information.
• A new policy which confirms user requests by email address.
• A new Privacy page added under the Tools menu. New, confirmed requests from users and fulfilled requests will display there also.
• A new section on privacy was added to the Plugin Handbook.

Ready to tackle GDPR compliance?
Contact Push10 and let us help you become compliant with this relatively new, yet extremely important regulation.