Candace Bozek on August 21, 2018
Many of our nonprofit clients at Morweb have asked us about GDPR compliance and how it affects their organization’s website. GDPR on the surface may seem a bit daunting and it is hard to know exactly where to start. We wanted to clear up a few facts by explaining how GDPR applies to nonprofits and associations operating in Canada and the United States. Simply follow these three steps to make your nonprofit website GDPR compliant.
The General Data Protection Protection Regulation, or GDPR, is the result of data protection reform to make the European Union ‘fit for the digital age’. Effective May 25, 2018, the GDPR replaced the Data Protection Directive of 1995. The GDPR aims to give European citizens more control over their personal data.
Organizations collect all sorts of personal data through their websites, whether it is in the form of names, addresses, photos, passwords, credit card information, or browsing data. Data breaches are inevitable; data gets lost, stolen, or shared without user consent. Your nonprofit organization needs to have measures in place to protect your valuable user data and notify users if there is a breach.
Under the GDPR, organizations will be held accountable for ensuring that all personal data is gathered legally and kept private. The GDPR gives users more control over their data reserving the following rights:
The GDPR applies to any organization that offers goods or services to EU consumers or businesses, or collects personal information from EU citizens.
The GDPR applies to any organization that offers goods or services to EU consumers or businesses, or collects personal information from EU citizens.
It also applies to any user data that is collected by your organization whether it is in the form of names, contact information, payment information or through the use of cookies.
The GDPR outlines two types of entities that handle personal data; controllers and processors. A controller is an individual or company that determines the purpose and means by which personal data is processed. A processor is an individual or company that processes personal data on behalf of the controller. A nonprofit or association would fall under the category of “controller” while a payment provider may fall under “processor”.
Data controllers and processors are held to a higher standard under the GDPR. Data controllers are now responsible for conducting a Data Privacy Impact Assessment (DPIA) and continuously improving methods of obtaining consent for collecting data.
If your nonprofit organization fits this criterion, you must comply with GDPR or be subject to significant fines.
Implementing new measures for data protection within your nonprofit organization is only half the battle. Your website needs to reflect your organization’s commitment to data privacy. If you are a nonprofit or association concerned about GDPR compliance, we’ve outlined three steps to get your website up to speed.
Whenever you collect or use personal information from your users, you are required by law to provide a Privacy Policy. Privacy Policies are agreements in which you specify what personal data you collect from your users. The GDPR now requires you to disclose more information in your Privacy Policy. It also requires that you use language that is more accessible and easy to understand.
A Privacy Policy should include the following:
Many privacy policies are dense legal documents jam-packed with technical terms, which is exactly what the GDPR is trying to avoid. Your Privacy Policy should be concise, transparent, intelligible, easily accessible, and written in plain language. The GDPR has outlined 8 rights for individuals that must be addressed in your Privacy Policy.
In accordance with the GDPR, you are obligated to notify your website users on how their data is being used, protected, processed, and stored.
Your Privacy Notice should address the following:
There are several templates and examples available online that you can use to create your Privacy Policy and Notice. Once you have them in place, it is good practice to send an email to your contacts notifying them of the change. This will give them the opportunity to ask questions, or update their data or permissions in your database.
One of the most significant changes brought by the GDPR is opt-in consent. Users must actively choose to have their data collected on your website. If you have any forms on your nonprofit website, they will need to be updated to have the default setting as blank. Terms and conditions must be kept separate from contact permission.
Here are a few examples of the wrong and the right way to set up your forms:
This is incorrect. Users must check the box themselves to opt-in to agreeing to your terms and receiving communications from your organization. This form requires the user to opt-out by unchecking the boxes.
This is incorrect. Contact permission must be listed separately from the acceptance of terms and conditions (no tricky bundling!).
This is correct. Terms and Conditions are separate from Contact Permission and the default setting is left blank, allowing users to opt-in by clicking the boxes. It is a good idea to link your Privacy Policy and Privacy Notice on any online forms.
Many nonprofits use third-party payment systems for their online donation forms. However, their website often collects donor information before passing along the details to the payment provider. If your organization saves this donor information, you must explicitly state how you handle that data in your Privacy Policy. You should also put in place web processes to remove user data after a reasonable amount of time, for example, 60 days.
If your website uses cookies, you must notify your users BEFORE they navigate your website. The best way to notify your users of website cookies is through the use of a pop-up disclaimer. This pop-up banner appears first thing when a user goes to your website notifying them of your cookie policy and asking their permission to track their data. This gives your visitors the option to remain anonymous and not have their user data tracked if they so choose. You should link to your Privacy Policy in your pop-up disclaimer to give your visitors more information about your user data policies and better explain why your website uses cookies.
If you're on WordPress, there are several plugins available for a pop-up disclaimer, however, most require a developer to install and configure.
Drupal offers a cookie compliance module to notify users of cookies. If your website is hosted with Drupal, you will likely need the help of a developer to install the module.
If you're on Morweb, we've created a packaged solution that can be easily applied to your website. Contact us for more information.
Related articles:
Categories: Website Design
Website by Morweb.org
Copyright 2016
