1 2 Note that we are not lawyers. The content of this webinar - - PDF document

1 2 note that we are not lawyers the content of this
SMART_READER_LITE
LIVE PREVIEW

1 2 Note that we are not lawyers. The content of this webinar - - PDF document

Dec 20, 2023 283 likes •617 views

1 2 Note that we are not lawyers. The content of this webinar reflects our understanding of the laws and should be used for informational purposes only not for legal advice. This webinar should not be your only source of information. We

slide-1
SLIDE 1

1

slide-2
SLIDE 2

2

slide-3
SLIDE 3

Note that we are not lawyers. The content of this webinar reflects our understanding

  • f the laws and should be used for informational purposes only – not for legal advice.

This webinar should not be your only source of information. We are only providing an overview of the laws and what you will need to do. We share a list of resources at the end that you can use to get educated on the details and nuances of the GDPR laws. 3

slide-4
SLIDE 4

The laws apply to organizations in ANY country who is communicating with citizens of the European Union. 4

slide-5
SLIDE 5

The General Data Protection Regulations (GDPR) are laws designed to make sure people have control over their personal information and what it is being used for. The laws cover how people are informed of how the data is used, how they consent to its use (or limit use), the right to “be forgotten”, to export their data and to seek damages if they suffer from misuse or breach of their data. It means that

  • rganizations need to receive explicit permission to store personal data, store it

responsibly and be transparent about how they are storing it. 5

slide-6
SLIDE 6

The General Data Protection Regulations (GDPR) are laws designed to make sure people have control over their personal information and what it is being used for. The laws cover how people are informed of how the data is used, how they consent to its use (or limit use), the right to “be forgotten”, to export their data and to seek damages if they suffer from misuse or breach of their data. It means that

  • rganizations need to receive explicit permission to store personal data, store it

responsibly and be transparent about how they are storing it. 6

slide-7
SLIDE 7

7

slide-8
SLIDE 8

8

slide-9
SLIDE 9

9

slide-10
SLIDE 10

10

slide-11
SLIDE 11

The first step is to get organized internally and be clear on who needs to be involved. For a small organization, this may be just one or two people. Larger organizations will have more staff who play a role in communicating with constituents. Regardless of your size, someone internally should have formal ownership over data. In larger

  • rganizations, this may be a Data Officer. In a smaller organization, it may be that

responsibility for data security is given to an existing staff member. Once the team is educated about GDPR, have a preliminary discussion on your organization’s tolerance for risk, how big an issue do you think GDPR is for your org, and how quickly and seriously does senior management want to move. Keep in mind that the deadline for compliance is May 25th, so there’s not much time. You will have to weigh the risk that you are reported or audited. If EU constituents are not mission-critical for you, you may decide to suspend communicating with them until you can get your compliance in order. Don’t forget that getting consent after May 25th will be tricky because you don’t have consent to email them (to get consent). 11

slide-12
SLIDE 12

The next step is to get your arms around where all your constituent data is, who has access to it, who you’re sharing it with, etc. This is the data governance step of inventorying and qualifying step of figuring out what you already possess and how it’s used. Answer the who, what, where, when, why, and how questions about the data you have on your constituents – whether it is data they have provided you or you have

  • therwise collected on them.

This is critical to review across different departments and data uses. It applies to things like list sharing or swapping; raw data files saved on network, local or USB file storage drives; prospecting or mailing co-op lists/vendors; your eCRM/database of record and your website analytics tracking. Who are the individuals and companies with access or capabilities to match back any of the personal data back to other systems? 12

slide-13
SLIDE 13

The next step is to create a plan for how you’ll fix the areas that are not in compliance – and we’ll cover a few specifics on this in a moment. But for some organizations, it’s worth doing a reality check. How many EU constituents do you have and are you really getting value out of them? You may feel it’s not worth the cost of making changes. In that case, you’re plan is pretty simple. Just remove those EU constituents from your databases (not the transaction data, but the personal data). 13

slide-14
SLIDE 14

The next step is to move ahead with your plan and make the changes to your systems.

  • Evaluate how you’d like to collect consent for specific types of data usages.
  • Are there changes that need to be made to internal data sharing policies or where

to save files on the network drives?

  • Work with your legal team(s) to review and possibly update your privacy policy or

terms to correctly reflect all your current business activities – list swaps, sharing or data collection, identify your analytics platform(s) and marketing techniques (like AdWords, Rocketfuel, etc).

  • What changes to code or your website structure need to be made to get the

appropriate data either scrubbed/filtered from your analytics or removed completely.

  • Define processes for how a constituent could request their own personal

information.

  • Review and update your contracts with vendors, agencies, etc. to ensure that their

practices are in line with GDPR. 14

slide-15
SLIDE 15

15

slide-16
SLIDE 16

16

slide-17
SLIDE 17

This example from the National Trust does a nice job of brand building (“Your support is precious to us…”), transparency, and requires an active response. 17

slide-18
SLIDE 18

This example from Oxfam.org.uk is granular (separate checkboxes for email and phone), transparent about what they will do with your information, is clear on how to change your information later, and requires an active response. 18

slide-19
SLIDE 19

This example from the National Trust of a membership form is a good example of granularity (email, post and phone are separate checkboxes) and brand building (“Your privacy is important to us”). They also include instructions on how to access their “Marketing Preferences Center” to change your options later on and a link to their Privacy Policy where they are transparent about how they are using your data. 19

slide-20
SLIDE 20

No more asking for extra information (e.g. on surveys or registration forms) just because we’re trying to learn more about our constituents. If that data is not relevant to the situation, you cannot ask for it. 20

slide-21
SLIDE 21

Information Commissioner’s Office is an independent authority in the UK https://ico.org.uk 21

slide-22
SLIDE 22

Sending personal data into GA not only is a no-no under GDPR, it’s in violation of GA's Terms of Use. “Any customer data sent ‘in the clear’ to GA is a clear break of their terms, and can result in Google deleting all your analytics for that period." Most US zip codes couldn't be tracked back to a single residence/person. However, some international post codes could. Our blog post covers some ways to do this: www.beaconfire-red.com/epic-stuff/gdpr- cookies-milk. 22

slide-23
SLIDE 23
  • 1. If there is potential for someone to use that cookie data to identify (e.g. by linking

with other data) and single out an individual. E.g. persistent cookie unique to the device

  • 2. Silence, pre-ticked boxes or inactivity should NOT therefore constitute consent.
  • 3. Even after getting valid consent, there must be a way for people to change their
  • mind. GDPR says that withdrawing consent must be as easy as giving it.

23

slide-24
SLIDE 24

24

slide-25
SLIDE 25

25

slide-26
SLIDE 26

26

slide-27
SLIDE 27

27

slide-28
SLIDE 28

Provide a way for people to:

  • access their personal data and details
  • submit requests for changing that data

Protect the data under the GDPR’s rules

  • ensure a level of security appropriate to the risk
  • when appropriate, pseudonymize and/or encrypt the data
  • ability to restore availability and access in a timely manner in the event of a

physical or technical incident

  • establish a process for regularly testing and evaluating effectiveness of

those measures May need to appoint a Data Protection Officer:

  • This will be the case for all public authorities and bodies that process

personal data, and for other organisations that - as a core activity - monitor individuals systematically and on a large scale, or that process special categories of personal data on a large scale 28

slide-29
SLIDE 29

One thing to note about this data removal is it’s not EVERYTHING. For some sites, like e-commerce applications, retaining personal data may be required for reporting and

  • auditing. This means that some sites may need to scrub their data when a user makes

a request, however, critical information may be retained to comply with financial regulations and laws. 29

slide-30
SLIDE 30
  • 1. It’s a fabulous branding opportunity. Showing your constituents some love.
  • 2. You’ll be ahead of the game as the US moves in this direction.

30

slide-31
SLIDE 31

31

slide-32
SLIDE 32

32