Learn More
Get your Fundraising Strategy Assessment Learn More

Your inbox might be in a bit of a tizzy these days because almost every company you’ve ever given your email address to is sending you their privacy policy.

(But wait, this is actually a good thing for privacy! Plus, it’s an opportunity to engage.)

There is a lot of information out there about GDPR and it can become confusing, quickly. So the team here at Pursuant put together a brief FAQ and best practice recommendations for you and your organization.  We hope this makes it a little easier to consume and understand what you should do as a nonprofit professional.

What is GDPR?

GDPR stands for General Data Protection Regulation, which is a new EU regulation replacing the 1995 EU Data Protection Directive (DPD).  As of May 25, 2018, this regulation is in force in the EU to enhance the protection of personal data of EU citizens, and to increase the obligations of organizations who collect, store or process personal data.

The regulation builds upon the 1995 Directive’s requirements for data privacy and security, however it also includes new provisions and creates harsher penalties for violations.

How does this affect my organization and my email list?

Regardless of where your organization is located, if you have constituents located in the EU, the GDPR applies to you and your organization’s data privacy practices.  Bottom line: EU constituents must consent to receive communication from your organization.

Per an article recently published by Forbes, “The General Data Protection Regulation (“GDPR”) is a legal framework that requires businesses to protect the personal data and privacy of European Union (EU) citizens for transactions that occur within EU member states. It covers all companies that deal with the data of EU citizens, specifically banks, insurance companies, and other financial companies.”

If your organization engages with and sends communications to individuals who live within the EU, then you need to ensure you are compliant in your data privacy policy and practices.

What are recommended next steps?

  • Ensure your privacy policy and terms of service are updated to adhere to GDPR.  We recommend you consult with legal counsel to ensure you are adhering and your privacy policy is up-to-date.
  • If you have a donor CRM or database, you should query your database to build a segment or group of those individuals who are located in the EU.
  • Communicate to your email list to ensure they are aware of any privacy policy changes.  We recommend you segment your communications to EU residents and non-EU residents.
  • Update your website opt-in form to include a link to your privacy policy and any other data terms of service or terms of use your organization has in regards to constituent data.
  • Consider adding a temporary callout or pop-up on your website, which links to your updated privacy policy.

What are recommended best practices for a GDPR communication to my constituents?

We recommend that you use this as an opportunity to stand out from the crowd and re-engage your constituents.  

If you have not already done so, you should do the following:

Inform your constituency

Create an email communication to send to your constituents to let them know of the updated privacy policy regulation (GDPR).

Use this email communication as an opportunity to thank them for their engagement with your organization, and remind them of the important relationship they have with your cause.

Many companies are flooding your constituents inboxes with privacy policy updates because of these regulation changes.  Use this as an opportunity to recognize your supporters and make them feel special…they are a part of your impact.

Here are some ways in which you can do this:

  1. Have some fun with it! Don’t just be another boring GDPR email to be compliant.  You could even include humor if you feel it is appropriate, recognizing that you know you are “just another GDPR email”.
  2. Use this as an opportunity to re-engage and remind people when they opted in or thank them for their last gift of $X.
  3. Send a message specific to those located in the EU and send a different message to those on your file who are not in the EU. 
    • The EU version should include a link to opt back into your communications.  Be sure that the checkbox to opt-in is not preselected for these individuals.  Your constituents will need to self-check the box.
    • The non-EU version can simply provide information and link to the privacy policy.

Additional Resources and Insights We Find Helpful:

There are a lot of helpful resources on this topic, so we wanted to point you to those which we found most helpful.

[Article]: https://www.forbes.com/sites/andrewrossow/2018/05/25/the-birth-of-gdpr-what-is-it-and-what-you-need-to-know/#357340c555e5

[Article]: https://www.forbes.com/sites/forbestechcouncil/2018/05/25/what-does-gdpr-mean-for-u-s-based-nonprofits/#270f052320f3

[Article]: https://bloomerang.co/blog/bloomerang-and-gdpr/

[Article]: https://www.theagitator.net/uncategorized/gdpr-dies-in-your-inbox-but-theres-hope

[Podcast] https://nofilternonprofit.blackbaud.com/raise-engage-podcast-series/episode-57-lets-talk-about-gdpr