1 2 note that we are not lawyers the content of this
play

1 2 Note that we are not lawyers. The content of this webinar - PDF document

1 2 Note that we are not lawyers. The content of this webinar reflects our understanding of the laws and should be used for informational purposes only not for legal advice. This webinar should not be your only source of information. We


  1. 1

  2. 2

  3. Note that we are not lawyers. The content of this webinar reflects our understanding of the laws and should be used for informational purposes only – not for legal advice. This webinar should not be your only source of information. We are only providing an overview of the laws and what you will need to do. We share a list of resources at the end that you can use to get educated on the details and nuances of the GDPR laws. 3

  4. The laws apply to organizations in ANY country who is communicating with citizens of the European Union. 4

  5. The General Data Protection Regulations (GDPR) are laws designed to make sure people have control over their personal information and what it is being used for. The laws cover how people are informed of how the data is used, how they consent to its use (or limit use), the right to “be forgotten”, to export their data and to seek damages if they suffer from misuse or breach of their data. It means that organizations need to receive explicit permission to store personal data, store it responsibly and be transparent about how they are storing it. 5

  6. The General Data Protection Regulations (GDPR) are laws designed to make sure people have control over their personal information and what it is being used for. The laws cover how people are informed of how the data is used, how they consent to its use (or limit use), the right to “be forgotten”, to export their data and to seek damages if they suffer from misuse or breach of their data. It means that organizations need to receive explicit permission to store personal data, store it responsibly and be transparent about how they are storing it. 6

  7. 7

  8. 8

  9. 9

  10. 10

  11. The first step is to get organized internally and be clear on who needs to be involved. For a small organization, this may be just one or two people. Larger organizations will have more staff who play a role in communicating with constituents. Regardless of your size, someone internally should have formal ownership over data. In larger organizations, this may be a Data Officer. In a smaller organization, it may be that responsibility for data security is given to an existing staff member. Once the team is educated about GDPR, have a preliminary discussion on your organization’s tolerance for risk, how big an issue do you think GDPR is for your org, and how quickly and seriously does senior management want to move. Keep in mind that the deadline for compliance is May 25 th , so there’s not much time. You will have to weigh the risk that you are reported or audited. If EU constituents are not mission-critical for you, you may decide to suspend communicating with them until you can get your compliance in order. Don’t forget that getting consent after May 25 th will be tricky because you don’t have consent to email them (to get consent). 11

  12. The next step is to get your arms around where all your constituent data is, who has access to it, who you’re sharing it with, etc. This is the data governance step of inventorying and qualifying step of figuring out what you already possess and how it’s used. Answer the who, what, where, when, why, and how questions about the data you have on your constituents – whether it is data they have provided you or you have otherwise collected on them. This is critical to review across different departments and data uses. It applies to things like list sharing or swapping; raw data files saved on network, local or USB file storage drives; prospecting or mailing co-op lists/vendors; your eCRM/database of record and your website analytics tracking. Who are the individuals and companies with access or capabilities to match back any of the personal data back to other systems? 12

  13. The next step is to create a plan for how you’ll fix the areas that are not in compliance – and we’ll cover a few specifics on this in a moment. But for some organizations, it’s worth doing a reality check. How many EU constituents do you have and are you really getting value out of them? You may feel it’s not worth the cost of making changes. In that case, you’re plan is pretty simple. Just remove those EU constituents from your databases (not the transaction data, but the personal data). 13

  14. The next step is to move ahead with your plan and make the changes to your systems. • Evaluate how you’d like to collect consent for specific types of data usages. • Are there changes that need to be made to internal data sharing policies or where to save files on the network drives? • Work with your legal team(s) to review and possibly update your privacy policy or terms to correctly reflect all your current business activities – list swaps, sharing or data collection, identify your analytics platform(s) and marketing techniques (like AdWords, Rocketfuel, etc). • What changes to code or your website structure need to be made to get the appropriate data either scrubbed/filtered from your analytics or removed completely. • Define processes for how a constituent could request their own personal information. • Review and update your contracts with vendors, agencies, etc. to ensure that their practices are in line with GDPR. 14

  15. 15

  16. 16

  17. This example from the National Trust does a nice job of brand building (“Your support is precious to us…”), transparency, and requires an active response. 17

  18. This example from Oxfam.org.uk is granular (separate checkboxes for email and phone), transparent about what they will do with your information, is clear on how to change your information later, and requires an active response. 18

  19. This example from the National Trust of a membership form is a good example of granularity (email, post and phone are separate checkboxes) and brand building (“Your privacy is important to us”). They also include instructions on how to access their “Marketing Preferences Center” to change your options later on and a link to their Privacy Policy where they are transparent about how they are using your data. 19

  20. No more asking for extra information (e.g. on surveys or registration forms) just because we’re trying to learn more about our constituents. If that data is not relevant to the situation, you cannot ask for it. 20

  21. Information Commissioner’s Office is an independent authority in the UK https://ico.org.uk 21

  22. Sending personal data into GA not only is a no-no under GDPR, it’s in violation of GA's Terms of Use. “Any customer data sent ‘in the clear’ to GA is a clear break of their terms, and can result in Google deleting all your analytics for that period." Most US zip codes couldn't be tracked back to a single residence/person. However, some international post codes could. Our blog post covers some ways to do this: www.beaconfire-red.com/epic-stuff/gdpr- cookies-milk. 22

  23. 1. If there is potential for someone to use that cookie data to identify (e.g. by linking with other data) and single out an individual. E.g. persistent cookie unique to the device 2. Silence, pre-ticked boxes or inactivity should NOT therefore constitute consent . 3. Even after getting valid consent, there must be a way for people to change their mind. GDPR says that withdrawing consent must be as easy as giving it. 23

  24. 24

  25. 25

  26. 26

  27. 27

  28. Provide a way for people to: • access their personal data and details • submit requests for changing that data Protect the data under the GDPR’s rules • ensure a level of security appropriate to the risk • when appropriate, pseudonymize and/or encrypt the data • ability to restore availability and access in a timely manner in the event of a physical or technical incident • establish a process for regularly testing and evaluating effectiveness of those measures May need to appoint a Data Protection Officer: • This will be the case for all public authorities and bodies that process personal data, and for other organisations that - as a core activity - monitor individuals systematically and on a large scale, or that process special categories of personal data on a large scale 28

  29. One thing to note about this data removal is it’s not EVERYTHING. For some sites, like e-commerce applications, retaining personal data may be required for reporting and auditing. This means that some sites may need to scrub their data when a user makes a request, however, critical information may be retained to comply with financial regulations and laws. 29

  30. 1. It’s a fabulous branding opportunity. Showing your constituents some love. 2. You’ll be ahead of the game as the US moves in this direction. 30

  31. 31

  32. 32

Recommend


More recommend