3 Steps to GDPR Compliance for Your Nonprofit Website
Many of our nonprofit clients at Morweb have asked us about GDPR compliance and how it affects their organization’s website. GDPR on the surface may seem a bit daunting and it is hard to know exactly where to start. We wanted to clear up a few facts by explaining how GDPR applies to nonprofits and associations operating in Canada and the United States. Simply follow these three steps to make your nonprofit website GDPR compliant.
1. Update Your Privacy Policy
2. Add Privacy Notices
3. Update Your Website
But first...what is GDPR?
The General Data Protection Protection Regulation, or GDPR, is the result of data protection reform to make the European Union ‘fit for the digital age’. Effective May 25, 2018, the GDPR replaced the Data Protection Directive of 1995. The GDPR aims to give European citizens more control over their personal data.
Organizations collect all sorts of personal data through their websites, whether it is in the form of names, addresses, photos, passwords, credit card information, or browsing data. Data breaches are inevitable; data gets lost, stolen, or shared without user consent. Your nonprofit organization needs to have measures in place to protect your valuable user data and notify users if there is a breach.
Under the GDPR, organizations will be held accountable for ensuring that all personal data is gathered legally and kept private. The GDPR gives users more control over their data reserving the following rights:
- Users must opt-in to have their data stored
- Users reserve the “right to be forgotten” meaning they can revoke permission to store their personal data at any time
- Users have a right to know if their data is stolen or leaked. If a security breach occurs, organizations must report it to users within 72 hours
Who does GDPR apply to?
The GDPR applies to any organization that offers goods or services to EU consumers or businesses, or collects personal information from EU citizens.
The GDPR applies to any organization that offers goods or services to EU consumers or businesses, or collects personal information from EU citizens.
- If you are a nonprofit, this applies to any donations you receive from citizens in the EU.
- For associations, GDPR applies to any organization that has members in the EU.
It also applies to any user data that is collected by your organization whether it is in the form of names, contact information, payment information or through the use of cookies.
The GDPR outlines two types of entities that handle personal data; controllers and processors. A controller is an individual or company that determines the purpose and means by which personal data is processed. A processor is an individual or company that processes personal data on behalf of the controller. A nonprofit or association would fall under the category of “controller” while a payment provider may fall under “processor”.
Data controllers and processors are held to a higher standard under the GDPR. Data controllers are now responsible for conducting a Data Privacy Impact Assessment (DPIA) and continuously improving methods of obtaining consent for collecting data.
If your nonprofit organization fits this criterion, you must comply with GDPR or be subject to significant fines.
How to make your website GDPR compliant
Implementing new measures for data protection within your nonprofit organization is only half the battle. Your website needs to reflect your organization’s commitment to data privacy. If you are a nonprofit or association concerned about GDPR compliance, we’ve outlined three steps to get your website up to speed.
1. Update Your Privacy Policy
Whenever you collect or use personal information from your users, you are required by law to provide a Privacy Policy. Privacy Policies are agreements in which you specify what personal data you collect from your users. The GDPR now requires you to disclose more information in your Privacy Policy. It also requires that you use language that is more accessible and easy to understand.
A Privacy Policy should include the following:
- What personal information you collect
- How and why you collect it
- How you use it
- How you secure it
- Any third parties with access to it
- If you use cookies
- How users can control their data
Many privacy policies are dense legal documents jam-packed with technical terms, which is exactly what the GDPR is trying to avoid. Your Privacy Policy should be concise, transparent, intelligible, easily accessible, and written in plain language. The GDPR has outlined 8 rights for individuals that must be addressed in your Privacy Policy.
2. Add Privacy Notices
In accordance with the GDPR, you are obligated to notify your website users on how their data is being used, protected, processed, and stored.
Your Privacy Notice should address the following:
- Who collects the data
- What data is being collected
- The legal basis for processing the data
- Who, if anyone, the data be shared with
- How the information will be used
- How long will the data be stored
- What rights users have to their data
- How users can raise a complaint
There are several templates and examples available online that you can use to create your Privacy Policy and Notice. Once you have them in place, it is good practice to send an email to your contacts notifying them of the change. This will give them the opportunity to ask questions, or update their data or permissions in your database.
3. Update Your Website
One of the most significant changes brought by the GDPR is opt-in consent. Users must actively choose to have their data collected on your website. If you have any forms on your nonprofit website, they will need to be updated to have the default setting as blank. Terms and conditions must be kept separate from contact permission.
Here are a few examples of the wrong and the right way to set up your forms:
This is incorrect. Users must check the box themselves to opt-in to agreeing to your terms and receiving communications from your organization. This form requires the user to opt-out by unchecking the boxes.
This is incorrect. Contact permission must be listed separately from the acceptance of terms and conditions (no tricky bundling!).
This is correct. Terms and Conditions are separate from Contact Permission and the default setting is left blank, allowing users to opt-in by clicking the boxes. It is a good idea to link your Privacy Policy and Privacy Notice on any online forms.
Online Donation Forms
Many nonprofits use third-party payment systems for their online donation forms. However, their website often collects donor information before passing along the details to the payment provider. If your organization saves this donor information, you must explicitly state how you handle that data in your Privacy Policy. You should also put in place web processes to remove user data after a reasonable amount of time, for example, 60 days.
Cookies
If your website uses cookies, you must notify your users BEFORE they navigate your website. The best way to notify your users of website cookies is through the use of a pop-up disclaimer. This pop-up banner appears first thing when a user goes to your website notifying them of your cookie policy and asking their permission to track their data. This gives your visitors the option to remain anonymous and not have their user data tracked if they so choose. You should link to your Privacy Policy in your pop-up disclaimer to give your visitors more information about your user data policies and better explain why your website uses cookies.
If you're on WordPress, there are several plugins available for a pop-up disclaimer, however, most require a developer to install and configure.
Drupal offers a cookie compliance module to notify users of cookies. If your website is hosted with Drupal, you will likely need the help of a developer to install the module.
If you're on Morweb, we've created a packaged solution that can be easily applied to your website. Contact us for more information.
Related articles:
- Website Accessibility: What Nonprofits Need to Know About ADA Compliance. Discover our tips for website accessibility and learn how to make your nonprofit website ADA compliant.
- Web Accessibility: 6 Tips to Make Your Nonprofit Website WCAG Compliant. Web accessibility is an increasingly important initiative in nonprofit web design. Discover 6 tips to make your website more accessible today!
