Discuss

last person joined: 3 days ago 

Ask a question. Give advice. Share resources. Looking for software or hardware recommendations? Want to know how others are using text messaging in their work? Trying to find examples of IT policies? The NTEN Discuss forum is a great resource for all of the above and more! It's the general discussion list for the NTEN community, and folks all over the US (and the world) are sharing their questions, answers, and news about nonprofit technology.

GDPR Preparation?

  • 1.  GDPR Preparation?

    Posted Jan 08, 2018 15:41
    Is anyone working on GDPR (General Data Protection Regulationcompliance? I'm just reading up on it and thinking about the changes we would need to make to our website and marketing process. We're hosted by Acquia and use Salesforce for our data, and they are both compliant but I'm wondering about language for our registration forms and cookies. Feeling a little overwhelmed at this point!

    Mary


    ------------------------------
    Mary Gaughan
    FSG
    Boston, MA
    ------------------------------


  • 2.  RE: GDPR Preparation?

    Posted Jan 09, 2018 13:55
    Mary,

    I haven't started yet (next month hopefully) but I have an Asana task to learn what our org needs to do for GDPR since we have members and students in Europe. We use Salesforce, Google Suite, and Wordpress.  


    Kai 

    --
    Kai Williams
    Executive Director
    
The International Wildlife Rehabilitation Council






  • 3.  RE: GDPR Preparation?

    Posted Jan 10, 2018 10:23

    One place to start is to update your website with a message about cookies, and reference your cookie policy/data gathering and data protection policy.  Pretty much any business operating in Europe is already doing this, and if you visit their websites you can see what others are doing.  Example – go to www.economist.com and note their message:  "By continuing to browse..."

     

    That's not all you need to do but it will get your started.

     

     

    Jeff Chandler

    President

    American Technology Services, Inc.

    2751 Prosperity Ave.

    Suite 600

    Fairfax, VA  22031

    Tel. 703-876-0300 x5362

    chandler@networkats.com

     






  • 4.  RE: GDPR Preparation?

    Posted Jan 10, 2018 17:23
    Here's a statement on DPDR from Salesforce that someone recently shared with me. https://www.salesforce.com/content/dam/web/en_us/www/documents/white-papers/gpdr-fact-sheet.pdf

    ------------------------------
    Ashley Hansen
    VP of Growth, Frakture
    Washington, DC
    ashley@frakture.com
    ------------------------------



  • 5.  RE: GDPR Preparation?

    Posted Jan 11, 2018 11:02
    We are a partner for SAP and its public sector solution (Business ByDesign Public Sector) geared to municipalities, non profits and higher education.  The following links discuss how SAP is already compliant with GPDR in its products and any measures being taken to ensure enhanced compliance for May 2018.  While the documentation is specific to SAP solutions, you can glean from the requirements and SAP stated compliance how your ERP may or may not meet the stated requirements:

    GDPR - Getting ready for May 25, 2018 – part 1
    GDPR - Getting Ready for May 25, 2018 – part 2

    In case of issues following the links, I have also attached the content.

    Hope this helps to provide a better understanding of requirements and how to address.

    ------------------------------
    John Kearns
    Primary Contact
    Accounting Micro Systems
    San Francisco
    john.kearns@accountingmicro.com
    ------------------------------



  • 6.  RE: GDPR Preparation?

    Posted Feb 01, 2018 11:37
    We have clients who are preparing for this now.  In fact, I just wrote the first of a series of blog posts on GDPR.  This first post reviews who it applies to (spoiler alert: US organizations are not exempt) and generally what needs to be done.  We'll be diving into more details in subsequent blog posts over the next few weeks.

    GDPR: Is Your Organization Ready?



    ------------------------------
    Lynn Labieniec, CEO
    Beaconfire RED
    2300 Clarendon Blvd, Suite 925
    Arlington, VA 22201
    direct: 571-814-2201
    lynn.labieniec@beaconfire-red.com
    www.beaconfire-red.com
    ------------------------------



  • 7.  RE: GDPR Preparation?

    Posted Feb 14, 2018 11:04
    We have been doing some background research and my own goal is to have a strategic plan together in the next 10 days. We are a nonprofit subsidiary of a larger health care system with affiliates globally, including the EU. I have attend multiple vendor webinars and read white papers and check lists. I think the big items are:
    • Doing a risk assessment of your CRM/Donations and how that information is stored and secured
    • Ditto your internal network/AD/Office environments - understand what your vendors are providing (or not). If they haven't offered, ask what they are doing and get it in writing
    • If you have homegrown web systems that collect and distribute PII, time to do a deep dive and figure out again, what PII you may be storing and how it is safeguarded.

    Cookie disclaimers on websites are just the tip of the iceberg. Good luck to all of us.

    Kristin

    ------------------------------
    Kristin Iden
    Manager, Data, IT and Web Systems
    Safe Kids Worldwide
    Washington, DC
    ------------------------------



  • 8.  RE: GDPR Preparation?

    Posted Feb 28, 2018 10:41
    Hi Mary,  There have been a few folks sharing resources over the last month.  Just wanted to make sure you saw those and are feeling at least a little bit more confident about what you need to tackle.

    In case you missed them, here are links to two blog posts we've done:
    GDPR: Is Your Organization Ready?
    GDPR & Cookies (with Milk!)





    ------------------------------
    Lynn Labieniec
    CEO & Co-Founder
    Beaconfire RED
    lynn.labieniec@beaconfire-red.com
    ------------------------------



  • 9.  RE: GDPR Preparation?

    Posted Apr 10, 2018 20:45
    How many of you have started sending out policy emails related to GDPR?
    I'm wondering what the loss of subscribers is with this? How has this affected your numbers?
    Do people appreciate it? Or get turned away?
    Does anyone have a good template for comms on this?
    Thanks in advance.


    ------------------------------
    Danielle Siembieda
    Leonardo/ISAST
    Oakland, CA
    ------------------------------



  • 10.  RE: GDPR Preparation?

    Posted Apr 12, 2018 13:00
    Hello Danielle,

    I wanted to share with you some guidance from the UK's Information Commissioner's Office (ICO) on privacy notices for compliance with GDPR which you can find here Privacy notices, transparency and control.  This document provides guidance on what you should include in your privacy notice, however, this is laid out pretty clearly in article 13 & 14 of the regulation.  As well as, Where and how you should deliver your privacy notice plus other valuable pieces of information.

    Hope this information is useful.

    ------------------------------
    William Rankin
    Manager, Compliance Services
    571.405.5378
    wrankin@networkats.com
    ------------------------------



  • 11.  RE: GDPR Preparation?

    Posted Apr 12, 2018 13:19
    Edited by Dan Germain Apr 12, 2018 13:19
    Higher Logic (the company/platform that powers the NTEN online community) has been preparing for GDPR for some time now as we power communities touching over 25 million participants globally.  You can find lots of additional information and access a free GDBR webinar recording on our website here: An Introduction to the EU Global Data Protection Regulation
    Higherlogic remove preview
    An Introduction to the EU Global Data Protection Regulation
    If you send email or maintain a user database and have any members, customers, or prospects in the European Union, you've probably heard about the Global Data Protection Regulation (GDPR). Going far beyond email and electronic communication, this new law covers all aspects of data privacy and has been hailed as the most important such regulation in 20 years.
    View this on Higherlogic >


    ------------------------------
    Dan Germain
    Director, NonProfit Sector
    Higher Logic
    dgermain@higherlogic.com
    737-205-1037
    ------------------------------



  • 12.  RE: GDPR Preparation?

    Posted Apr 16, 2018 10:34
    Hi all, has anyone worked with any consulting companies that help organizations prepare for GDPR? If so, can you recommend someone? Do you know if it's better to work with a consulting to help assess the organization's situation or is it best to go straight for legal help instead?

    ------------------------------
    Contessa Siegner
    IT Director
    Proverbs 31 Ministries
    Matthews, NC
    ------------------------------



  • 13.  RE: GDPR Preparation?

    Posted Apr 17, 2018 11:23
    We offer GDPR compliance help to our clients.

    Our approach is to help assess the overall scope and impact of GDPR on your organization (ie, to what extent do the regs apply to you, and how much of the way that you process data is going to be impacted), to surface some big-picture questions (eg is it feasible to simply stop deal with EU residents, given your work? What is your tolerance for legal risk relative to the compliance work ahead?), and finally, to create a prioritized plan to address your issues. This plan is what you can then take to an attorney to receive specific additional guidance and a formal legal opinion that you can rely on.

    We believe that clients must get legal advice on this matter, since it's ultimately a legal issue. However, most attorneys and firms don't have or offer the kind of service required to assess and plan for compliance. And at the rates attorneys typically charge, it may be much more cost-effective to work with a consultant to assess and build a plan, and then bring in an attorney to certify it. Feel free to contact me directly if you'd like to learn more.

    ------------------------------
    Isaac Shalev
    http://www.sage70.com
    Stamford CT
    @Sage70
    isaac@sage70.com
    ------------------------------



  • 14.  RE: GDPR Preparation?

    Posted Apr 18, 2018 10:18
    Glad to see this post here! BIG changes are on the horizon and, in speaking with several individuals and orgs at NTEN last week, this issue is still widely unknown.

    Our organization, Briteweb (briteweb.com), is a social sector consultancy that develops strategy, design, and technology solutions for nonprofits and foundations. We provide auditing services that yield a 'report card'/ recommendations brief for bringing your website up to regulation. From there, we help implement the changes or guide you through the process of doing so yourself (we've found that most of the changes can be done relatively easy by our clients - it's identifying the compliance issues that can be tricky.)

    Happy to chat with anyone who has questions or wants to learn more about what they should do. Feel free to send me an email brodie@briteweb.com.

    ------------------------------
    Brodie Wasserman
    Briteweb (briteweb.com)
    Brooklyn, NY
    ------------------------------



  • 15.  RE: GDPR Preparation?

    Posted Apr 19, 2018 09:06
    That's excellent! GDPR is a great opportunity to revisit your website not only to implement compliance features, but also to think about those requirements as part of the user journey. The transparency requirements of the GDPR for consent and privacy are a great opportunity to reframe your relationship with donors by being plainspoken and appreciative. Eg Don't say "you hereby give us consent to share your data with 3rd-party partners", say "Thank you for being an activist. Information you share can help us connect you to additional resources provided by some of our allies. Sharing that information can really help us make a difference, but if you don't want us to, that's ok too. You're welcome to opt out."

    And remember, GDRP compliance isn't just about your website, it's also about your CRM, your payment processing, your internal policies, and even your scattered spreadsheets and paper files. Reach out to us  or other experts if you need help, the deadline is almost here!

    ------------------------------
    Isaac Shalev
    http://www.sage70.com
    Stamford CT
    @Sage70
    isaac@sage70.com
    ------------------------------



  • 16.  RE: GDPR Preparation?

    Posted Apr 20, 2018 09:47
    What's are the requirements for sending data to third parties - like sending names and postal addresses to a mail house?

    ------------------------------
    Judy Freed
    Marketing Strategist, Alliance for the Great Lakes
    Co-Organizer, NTEN Digital Advertising Community
    Chicago, Illinois
    ------------------------------



  • 17.  RE: GDPR Preparation?

    Posted Apr 20, 2018 09:54
    Hello Judy,

    The short answer is this. You should have a contract in place with the data processor (mailing House) that clearly states they will only process the data based on the guidance you, as a data controller, give them. Plus a few other items that are listed in the regulation. You will also want to make sure your privacy notice clearly states that you share information with a third-party(s) and what the purpose is. You will also want to get assurance from the processor that they have adequate security measures in place to protect the confidentiality, integrity, and availability of the information you are sharing. 

    -Bill






  • 18.  RE: GDPR Preparation?

    Posted Apr 20, 2018 16:17

    Thanks, Bill. That's super helpful. Do you know if Facebook has any language about how they handle email addresses that organizations upload for the purpose of creating custom ad audiences? Our organization is in the U.S., but we'd like assurances that the info will be used only for the purpose of targeting our ads and that Facebook won't retain the info in perpetuity.



    ------------------------------
    Judy Freed
    Marketing Strategist, Alliance for the Great Lakes
    Co-Organizer, NTEN Digital Advertising Community
    Chicago, Illinois
    ------------------------------



  • 19.  RE: GDPR Preparation?

    Posted Apr 20, 2018 16:57
    Hey Judy,

    I am glad you found that information helpful.  Facebook is an interesting subject, especially over these past weeks.  I have a couple of pieces of information to share with you but I have to state, I do not think this will fully answer your question.

    1. Here is the link to Facebook's updated privacy policy - Data Policy.

      1. I have not read this but I did a quick find for email which returned two references.
        1. The first, was in a note about reducing the data developers and applications can request to include (not exclude) email.
          "Note: We are in the process of restricting developers' data access even further to help prevent abuse. For example, we will remove developers' access to your Facebook and Instagram data if you haven't used their app in 3 months, and we are changing Login, so that in the next version, we will reduce the data that an app can request without app review to include only name, Instagram username and bio, profile photo and email address. Requesting any other data will require our approval."

        2. The second,  was about the information they share with advertisers and in this instance email was excluded.
          "We provide advertisers with reports about the kinds of people seeing their ads and how their ads are performing, but we don't share information that personally identifies you (information such as your name or email address that by itself can be used to contact you or identifies who you are) unless you give us permission. For example, we provide general demographic and interest information to advertisers (for example, that an ad was seen by a woman between the ages of 25 and 34 who lives in Madrid and likes software engineering) to help them better understand their audience. We also confirm which Facebook ads led you to make a purchase or take an action with an advertiser."

    2. techcrunch.com published this article https://techcrunch.com/2018/04/17/facebook-gdpr-changes/ on their view of Facebook's new privacy policy.

    Hope this shed some light on the subject for you.

    Thanks,
    Bill

    ------------------------------
    William Rankin
    Manager, Compliance Services
    571.405.5378
    wrankin@networkats.com
    ------------------------------



  • 20.  RE: GDPR Preparation?

    Posted Apr 22, 2018 22:11
    When you upload emails to create a custom audience, you don't actually transmit email addresses to FB. Instead, before the data leaves your browser, it gets hashed. Hashing means taking the data you provide and converting it via algorithm in a manner that makes it impossible to reverse-engineer. In other words, you're giving FB a meaningless set of data that it can't turn back into email addresses. FB, in the meantime, has collected and hashed many emails from many people, using the same hashing algorithm. Basically, they compare the hashesy you provide with the hashes they have stored. Any matches are added to your custom audience. Then, all the data is deleted.

    https://www.facebook.com/business/help/112061095610075

    This methodology doesn't mean the hash data isn't covered by GDPR, or doesn't count as personal data. Rather, this approach is consistent with good practices for making data anonymous or semi-anonymous. Fortunately, Facebook participates in the Privacy Shield program, so presuming you have permission from your users to use their data in this way, and you have acceptable reasons for doing so, the issue of transferring data to Facebook shouldn't be an obstacle.

    https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC

    ------------------------------
    Isaac Shalev
    http://www.sage70.com
    Stamford CT
    @Sage70
    isaac@sage70.com
    ------------------------------



  • 21.  RE: GDPR Preparation?

    Posted Apr 23, 2018 09:42
    Thanks, Isaac. That's exactly what I was looking for. Facebook doesn't make it easy to find!

    ------------------------------
    Judy Freed
    Marketing Strategist, Alliance for the Great Lakes
    Co-Organizer, NTEN Digital Advertising Community
    Chicago, Illinois
    ------------------------------



  • 22.  RE: GDPR Preparation?

    Posted Apr 23, 2018 14:46
    My pleasure! I needed to use Google to find it myself.

    ------------------------------
    Isaac Shalev
    http://www.sage70.com
    Stamford CT
    @Sage70
    isaac@sage70.com
    ------------------------------



  • 23.  RE: GDPR Preparation?

    Posted Apr 24, 2018 09:58
    Here's another good resource: GDPR for Nonprofits, a presentation @Lynn Labieniec and @Rosa Del Angel gave a 18NTC. I wasn't able to attend the session, but the collaborative notes and the slide deck are clear and chock full of info.
    ​​

    ------------------------------
    Judy Freed
    Marketing Strategist, Alliance for the Great Lakes
    Co-Organizer, NTEN Digital Advertising Community
    Chicago, Illinois
    ------------------------------



  • 24.  RE: GDPR Preparation?

    Posted Apr 24, 2018 12:30
    Thank you for this fantastic thread and resources.

    ------------------------------
    Elizabeth Mace
    Director, Online and Social Media Strategy
    Volunteers of America
    Alexandria, VA
    ------------------------------



  • 25.  RE: GDPR Preparation?

    Posted Apr 24, 2018 13:28

    Thanks for all the great info! I can report that our email service provider is cracking down on permissions issues and I think we'll see more of that in the days to come. Twitter announced this morning that they will be releasing new terms on May 25. It's good to see that things are happening. When I started this post back in January, I felt like a voice in the wilderness!



    ------------------------------
    Mary Gaughan
    FSG
    Boston, MA
    ------------------------------



  • 26.  RE: GDPR Preparation?

    Posted Apr 25, 2018 09:05
    ​I was also unable to attend this session but a huge THANK YOU to the presenters and those taking the notes. (yeah, that was a shout. Maybe a shout-out)

    ------------------------------
    Grace Barry
    Director of Information Technology
    Family Service League
    Huntington, NY
    ------------------------------



  • 27.  RE: GDPR Preparation?

    Posted May 10, 2018 12:58

    Does anyone know if GDPR applies to "real world" interactions? If you have a meeting and someone gives you a business card, do you have permission to email them? What if they are a member, customer or client? Finally, what about convenings. Are conference attendees considered to be opting in for email from the organizer?

    Thank you!



    ------------------------------
    Mary Gaughan
    FSG
    Boston, MA
    ------------------------------



  • 28.  RE: GDPR Preparation?

    Posted May 10, 2018 14:53
    Hello Mary,

    GDPR applies to "real world" interactions if you are going to use the individual's personal data for processing related to your organization.  It does not apply to interaction that are strictly personal/social.

    Technically speaking, if you are meeting with someone and they give you their business card you can, at the time of obtaining that information, you can let them know you are going to add this to your organization's contact management application and what the purpose(s) of processing will be for their personal data. Consent can be given during a conversation and how you got consent would need to be recorded in your records of processing.  However, and I am making an assumption here, FSG has probably already determined the lawful basis of processing for the categories of personal data it processes and the associated purpose(s) of processing.  If the personal data on the business card falls within one of these categories and the lawful basis is something besides consent (i.e. legitimate interest) then you can use that basis again.

    If they are already a member, customer, or client then whatever lawful basis of processing you have determined to be valid for the data you already have could apply to this if the categories of data and purpose(s) of processing are the same.  An example of a category of personal data would be contract details.  Which could include name, address, email, phone number.

    For conference attendees you may be able to rely on legitimate interest as the lawful basis of processing.  The ICO provides the following guidance on legitimate interest related to marketing activities "You can rely on legitimate interests for marketing activities if you can show that how you use people's data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object – but only if you don't need consent under PECR. See our Guide to PECR for more on when you need consent for electronic marketing."  You can view the ICO's guide to legitimate interest at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/.   However, when people are registering for conferences you will want to provide them with the ability to consent to receiving future communications and your privacy notice that states what information you process, what your purpose(s) of processing are, and what the lawful basis of processing is for each purpose of processing.

    Hopefully this is useful and good luck.

    Bill









    ------------------------------
    William Rankin
    Manager, Compliance Services
    571.405.5378
    wrankin@networkats.com
    ------------------------------



  • 29.  RE: GDPR Preparation?

    Posted May 11, 2018 10:20
    A good way to think about data under GDPR is to stop viewing data as property.

    Instead, see privacy as a right that individuals have. When individuals share data, they're not transferring ownership of the data. Rather, they're providing a license to specific others to use data. That license is pretty restrictive, and in most cases, it can be rescinded.

    It doesn't matter what form the data takes, or in which medium it was acquired. Paper data, in your filing cabinets, is also subject to GDPR. What matters is what legal basis you have to claim permission or rights to process (possess, use, display, etc.) that data.

    ------------------------------
    Isaac Shalev
    http://www.sage70.com
    Stamford CT
    @Sage70
    isaac@sage70.com
    ------------------------------



  • 30.  RE: GDPR Preparation?

    Posted May 11, 2018 12:06
    Thank you, Mary, for starting this track of the discussion.

    I can say that I've learned more here, specific to our sector, than in any other information I've seen.

    Thanks to everyone for contributing!

    ------------------------------
    Tricia Maddrey Baker
    Social Media/Communications Manager
    Aplastic Anemia & MDS International Foundation
    Bethesda, MD
    ------------------------------



  • 31.  RE: GDPR Preparation?

    Posted May 12, 2018 16:45
    Thank you, Bill, for the info about personal contacts and conferences. We're about to send out an internal email about how GDPR will affect the rest of the staff.

    Mary

    ------------------------------
    Mary Gaughan
    FSG
    Boston, MA
    ------------------------------