10 Key Questions on GDPR’s Impact

While the GDPR legislation may seem cumbersome, in the end it is designed to prevent corruption and the misuse of personal data. As long as you are intentional, aware and proactive, you will be ok! The GDPR legislation forces people as well as organizations to be aware of the data they have, what it is being used for, and to ensure it’s protected.

1. What is the GDPR and what does it say?

GDPR stands for "General Data Protection Regulation." It is new EU legislation that requires organizations to protect their contacts' personal data. Advocacy professionals hold personal data on their targets (i.e., emails/tel of politicians, which are usually kept in a stakeholder database). 

*TIP! If I were you, I would keep my target lists on locked Excel sheets, saved either on my hard drive, or on a trusted GDPR-approved server, like the Microsoft Cloud. I would not keep a shared list that anyone can edit or see on something like Google Docs. I would also determine who needs to know about this list (internally) and who (internally) is tracking the fact that we, as an organization, have this data. If I am at a small NGO, it might turn out that I will be the one who takes initiative and starts keeping record of all the data we process and keep. If I work for a large organization and we don’t have a point person for this, I will open that conversation up…

2. I am a network of NGOs – can I circulate this database within my network with all key contacts? If not, do you have hints to circulate a “lighter version” of the database which is compliant with the legislation?

No
Here it depends on the network: is it a network within one country, or multiple? Are the countries within the EU, or outside of the EU? It is important to understand the EU GDPR legislation is overarching, but each member state will enact and enforce their own relevant laws. If the network is limited to the EU, it is important to consult the legislation of each country involved, regarding the sharing of personal information. The only information given about sharing information to members outside of the EU is that one must tell the subjects that their information has been shared.

*TIP! If you are sharing a collaborative list of actors within your network, whether it is targets or potential allies, make 2 pages within a Google Doc : one that is public and has the names of these people – this can even be shared with volunteers – and one page that is hidden and locked, that contains the contact information of these actors. To find out how to hide a page on Google Docs, check out this page : https://support.google.com/docs/answer/1218656

3. Can I send emails to my targets from my NGO even if they did not provide explicit consent (I found their email online)? Certainly not newsletters, but other emails?

Yes, but
As soon as an NGO collects data from an open source, it automatically becomes a “data controller” and is therefore required to comply with the GDPR. If you found an email online, yes it was published, but it was not published with the original intent to be contacted by you, so there isn’t really consent here. If this is a TARGET, the legal basis for its retention could be related to the organization’s legitimate interests and deemed legitimate. However, if you are reaching out to a potential donor, or someone who is not a target, the subject must be made aware of where you found their information and the purpose of your having it, and given the option to never be contacted again or to “unsubscribe.”

4. Do I have to send an email to everyone on my mailing list for the newsletter asking for their consent to be on the list and giving them the option to “unsubscribe”?

Not exactly, however…
Unfortunately, there is not one clear answer to this and different organizations have taken different approaches to this question. Prior to the GDPR, organizations who had opted to send an email to everyone on their list requesting consent and an update of email preferences saw a significant slash in their contact list, donor base, etc. Despite these organizations’ significant decrease, they reported that those who remained subscribed were more likely to engage and had much higher response rates. Other organizations have simply sent updated privacy information to mailing list recipients, stating that by being on the mailing list, they understood that they wanted to be contacted, with an easy way to unsubscribe in subsequent emails. This is not the suggested way of doing things, however.

*TIP! If you have not already sent an email asking for people to re-subscribe post-GDPR, I would update your newsletters format to show a clear way to unsubscribe, and I would also include a link to where recipients can go to view any privacy statements/information about how their data is being used.

5. Can I use services like Mailchimp to send newsletters?

Yes!
Mailchimp has implemented different tools and resources to ensure it is GDPR complaint. However, if you are using emails that were acquired without consent, and have no legal basis, you could be in violation.

*TIP! When you send a newsletter, if you don’t use something like Mailchimp, which offers GDPR compliance by default, think about adding an « unsubscribe » option at the bottom of your emails. It could be as simple as someone clicking on this option and another email opening and being sent to you to notify you of their preferences. This way you will receive it and be able to take them off your list, and respect their consent to be contacted.

6. What about other software (a CRM, for instance) that we use?

It depends
By now, most organizations are up to speed with the GDPR regulations, however, if your organization has not consulted with your vendors about their GDPR compliance, it is wise to do so. Some people have found that some software does not allow for the permanent deletion of data (for example, a profile of a donor) which would be in direct violation of GPDR law, if the donor had requested to be removed.

7. Are we allowed to indefinitely keep the data of previous grants?

Yes
Grant databases can be argued to be an important historical record of previous civil society action and involvement. For larger organizations, you could remove all personal identifiable information and publish it as a record.

8. How do we ensure we are 100% compliant with GDPR regulations?

Due diligence is the key.
It really is tough to say if your organization is 100% compliant because ultimately it depends on who is auditing your organization and which laws and precedents are being applied (country dependent). The most important thing to keep in mind with the GDPR is that you should know everything there is to know about your organization’s data – AND you should be able to answer questions about it at the drop of a dime: where it came from, what it’s used for, if you have a legal basis for having it, how long you have it for, where it is kept, what safeguards are in place to prevent unauthorized access to it, who has access to it and who updates it.

*TIP! Be organized and have a workflow in place that makes it easy to understand what data you have, who has access to it and who is managing it. Even if you are a small organization and you think you would easily be able to answer questions about your data, having the list written down and maintained on a regular basis will make compliance much easier, and it will allow you to find the gaps or potential problems with how you manage data.

9. Are we required to appoint a data protection officer?

Well... what's your size?
Only people who conduct large-scale, regular and systematic monitoring of individuals, process large-scale special category data relating to criminal convictions or are a public authority or body are required to appoint a data protection officer. If your organization processes a lot of personal data regularly, it is wise to appoint a data protection officer and to organizationally support them in their efforts

10. If we are working for the greater good, won’t it be apparent that we don’t have malintent with the data we have?

Unfortunately, no.
You have to be able to justify the use, retention and collection of personal data at all times.

_______________________

Sources

“Art. 2 GDPR - Material Scope.” GDPR.eu, 14 Nov. 2018, gdpr.eu/article-2-processing-personal-data-by-automated-means-or-by-filling-system/.

“Civil Society Organizations and General Data Protection Regulation Compliance.” Open Society Foundations, Feb. 2020, www.opensocietyfoundations.org/publications/civil-society-organizations-and-general-data-protection-regulation-compliance.

___________________________________

Bailey Castillo Advocacy Assistant bailey.castillo@cap-impact.org   www.cap-impact.org