Discuss

last person joined: 2 days ago 

Ask a question. Give advice. Share resources. Looking for software or hardware recommendations? Want to know how others are using text messaging in their work? Trying to find examples of IT policies? The NTEN Discuss forum is a great resource for all of the above and more! It's the general discussion list for the NTEN community, and folks all over the US (and the world) are sharing their questions, answers, and news about nonprofit technology.

Topic: GDPR Preparation? 

1.  GDPR Preparation?

Posted Jan 08, 2018 15:41
Is anyone working on GDPR (General Data Protection Regulationcompliance? I'm just reading up on it and thinking about the changes we would need to make to our website and marketing process. We're hosted by Acquia and use Salesforce for our data, and they are both compliant but I'm wondering about language for our registration forms and cookies. Feeling a little overwhelmed at this point!

Mary


------------------------------
Mary Gaughan
FSG
Boston, MA
------------------------------


2.  RE: GDPR Preparation?

Posted Jan 09, 2018 13:55
Mary,

I haven't started yet (next month hopefully) but I have an Asana task to learn what our org needs to do for GDPR since we have members and students in Europe. We use Salesforce, Google Suite, and Wordpress.  


Kai 

--
Kai Williams
Executive Director

The International Wildlife Rehabilitation Council






3.  RE: GDPR Preparation?

Posted Jan 10, 2018 10:23

One place to start is to update your website with a message about cookies, and reference your cookie policy/data gathering and data protection policy.  Pretty much any business operating in Europe is already doing this, and if you visit their websites you can see what others are doing.  Example – go to www.economist.com and note their message:  "By continuing to browse..."

 

That's not all you need to do but it will get your started.

 

 

Jeff Chandler

President

American Technology Services, Inc.

2751 Prosperity Ave.

Suite 600

Fairfax, VA  22031

Tel. 703-876-0300 x5362

chandler@networkats.com

 






4.  RE: GDPR Preparation?

Posted Jan 10, 2018 17:23
Here's a statement on DPDR from Salesforce that someone recently shared with me. https://www.salesforce.com/content/dam/web/en_us/www/documents/white-papers/gpdr-fact-sheet.pdf

------------------------------
Ashley Hansen
VP of Growth, Frakture
Washington, DC
ashley@frakture.com
------------------------------



5.  RE: GDPR Preparation?

Posted Jan 11, 2018 11:02
We are a partner for SAP and its public sector solution (Business ByDesign Public Sector) geared to municipalities, non profits and higher education.  The following links discuss how SAP is already compliant with GPDR in its products and any measures being taken to ensure enhanced compliance for May 2018.  While the documentation is specific to SAP solutions, you can glean from the requirements and SAP stated compliance how your ERP may or may not meet the stated requirements:

GDPR - Getting ready for May 25, 2018 – part 1
GDPR - Getting Ready for May 25, 2018 – part 2

In case of issues following the links, I have also attached the content.

Hope this helps to provide a better understanding of requirements and how to address.

------------------------------
John Kearns
Primary Contact
Accounting Micro Systems
San Francisco
john.kearns@accountingmicro.com
------------------------------



6.  RE: GDPR Preparation?

Posted Feb 01, 2018 11:37
We have clients who are preparing for this now.  In fact, I just wrote the first of a series of blog posts on GDPR.  This first post reviews who it applies to (spoiler alert: US organizations are not exempt) and generally what needs to be done.  We'll be diving into more details in subsequent blog posts over the next few weeks.

GDPR: Is Your Organization Ready?



------------------------------
Lynn Labieniec, CEO
Beaconfire RED
2300 Clarendon Blvd, Suite 925
Arlington, VA 22201
direct: 571-814-2201
lynn.labieniec@beaconfire-red.com
www.beaconfire-red.com
------------------------------



7.  RE: GDPR Preparation?

Posted Feb 14, 2018 11:04
We have been doing some background research and my own goal is to have a strategic plan together in the next 10 days. We are a nonprofit subsidiary of a larger health care system with affiliates globally, including the EU. I have attend multiple vendor webinars and read white papers and check lists. I think the big items are:
  • Doing a risk assessment of your CRM/Donations and how that information is stored and secured
  • Ditto your internal network/AD/Office environments - understand what your vendors are providing (or not). If they haven't offered, ask what they are doing and get it in writing
  • If you have homegrown web systems that collect and distribute PII, time to do a deep dive and figure out again, what PII you may be storing and how it is safeguarded.

Cookie disclaimers on websites are just the tip of the iceberg. Good luck to all of us.

Kristin

------------------------------
Kristin Iden
Manager, Data, IT and Web Systems
Safe Kids Worldwide
Washington, DC
------------------------------



8.  RE: GDPR Preparation?

Posted Feb 28, 2018 10:41
Hi Mary,  There have been a few folks sharing resources over the last month.  Just wanted to make sure you saw those and are feeling at least a little bit more confident about what you need to tackle.

In case you missed them, here are links to two blog posts we've done:
GDPR: Is Your Organization Ready?
GDPR & Cookies (with Milk!)





------------------------------
Lynn Labieniec
CEO & Co-Founder
Beaconfire RED
lynn.labieniec@beaconfire-red.com
------------------------------



9.  RE: GDPR Preparation?

Posted 15 days ago
How many of you have started sending out policy emails related to GDPR?
I'm wondering what the loss of subscribers is with this? How has this affected your numbers?
Do people appreciate it? Or get turned away?
Does anyone have a good template for comms on this?
Thanks in advance.


------------------------------
Danielle Siembieda
Leonardo/ISAST
Oakland, CA
------------------------------



10.  RE: GDPR Preparation?

Posted 13 days ago
Hello Danielle,

I wanted to share with you some guidance from the UK's Information Commissioner's Office (ICO) on privacy notices for compliance with GDPR which you can find here Privacy notices, transparency and control.  This document provides guidance on what you should include in your privacy notice, however, this is laid out pretty clearly in article 13 & 14 of the regulation.  As well as, Where and how you should deliver your privacy notice plus other valuable pieces of information.

Hope this information is useful.

------------------------------
William Rankin
Manager, Compliance Services
571.405.5378
wrankin@networkats.com
------------------------------



11.  RE: GDPR Preparation?

Posted 13 days ago
Edited by Dan Germain 13 days ago
Higher Logic (the company/platform that powers the NTEN online community) has been preparing for GDPR for some time now as we power communities touching over 25 million participants globally.  You can find lots of additional information and access a free GDBR webinar recording on our website here: An Introduction to the EU Global Data Protection Regulation
Higherlogic remove preview
An Introduction to the EU Global Data Protection Regulation
If you send email or maintain a user database and have any members, customers, or prospects in the European Union, you've probably heard about the Global Data Protection Regulation (GDPR). Going far beyond email and electronic communication, this new law covers all aspects of data privacy and has been hailed as the most important such regulation in 20 years.
View this on Higherlogic >


------------------------------
Dan Germain
Director, NonProfit Sector
Higher Logic
dgermain@higherlogic.com
737-205-1037
------------------------------



12.  RE: GDPR Preparation?

Posted 9 days ago
Hi all, has anyone worked with any consulting companies that help organizations prepare for GDPR? If so, can you recommend someone? Do you know if it's better to work with a consulting to help assess the organization's situation or is it best to go straight for legal help instead?

------------------------------
Contessa Siegner
IT Director
Proverbs 31 Ministries
Matthews, NC
------------------------------



13.  RE: GDPR Preparation?

Posted 8 days ago
We offer GDPR compliance help to our clients.

Our approach is to help assess the overall scope and impact of GDPR on your organization (ie, to what extent do the regs apply to you, and how much of the way that you process data is going to be impacted), to surface some big-picture questions (eg is it feasible to simply stop deal with EU residents, given your work? What is your tolerance for legal risk relative to the compliance work ahead?), and finally, to create a prioritized plan to address your issues. This plan is what you can then take to an attorney to receive specific additional guidance and a formal legal opinion that you can rely on.

We believe that clients must get legal advice on this matter, since it's ultimately a legal issue. However, most attorneys and firms don't have or offer the kind of service required to assess and plan for compliance. And at the rates attorneys typically charge, it may be much more cost-effective to work with a consultant to assess and build a plan, and then bring in an attorney to certify it. Feel free to contact me directly if you'd like to learn more.

------------------------------
Isaac Shalev
http://www.sage70.com
Stamford CT
@Sage70
isaac@sage70.com
------------------------------



14.  RE: GDPR Preparation?

Posted 7 days ago
Glad to see this post here! BIG changes are on the horizon and, in speaking with several individuals and orgs at NTEN last week, this issue is still widely unknown.

Our organization, Briteweb (briteweb.com), is a social sector consultancy that develops strategy, design, and technology solutions for nonprofits and foundations. We provide auditing services that yield a 'report card'/ recommendations brief for bringing your website up to regulation. From there, we help implement the changes or guide you through the process of doing so yourself (we've found that most of the changes can be done relatively easy by our clients - it's identifying the compliance issues that can be tricky.)

Happy to chat with anyone who has questions or wants to learn more about what they should do. Feel free to send me an email brodie@briteweb.com.

------------------------------
Brodie Wasserman
Briteweb (briteweb.com)
Brooklyn, NY
------------------------------



15.  RE: GDPR Preparation?

Posted 6 days ago
That's excellent! GDPR is a great opportunity to revisit your website not only to implement compliance features, but also to think about those requirements as part of the user journey. The transparency requirements of the GDPR for consent and privacy are a great opportunity to reframe your relationship with donors by being plainspoken and appreciative. Eg Don't say "you hereby give us consent to share your data with 3rd-party partners", say "Thank you for being an activist. Information you share can help us connect you to additional resources provided by some of our allies. Sharing that information can really help us make a difference, but if you don't want us to, that's ok too. You're welcome to opt out."

And remember, GDRP compliance isn't just about your website, it's also about your CRM, your payment processing, your internal policies, and even your scattered spreadsheets and paper files. Reach out to us  or other experts if you need help, the deadline is almost here!

------------------------------
Isaac Shalev
http://www.sage70.com
Stamford CT
@Sage70
isaac@sage70.com
------------------------------



16.  RE: GDPR Preparation?

Posted 5 days ago
What's are the requirements for sending data to third parties - like sending names and postal addresses to a mail house?

------------------------------
Judy Freed
Marketing Strategist, Alliance for the Great Lakes
Co-Organizer, NTEN Digital Advertising Community
Chicago, Illinois
------------------------------



17.  RE: GDPR Preparation?

Posted 5 days ago
Hello Judy,

The short answer is this. You should have a contract in place with the data processor (mailing House) that clearly states they will only process the data based on the guidance you, as a data controller, give them. Plus a few other items that are listed in the regulation. You will also want to make sure your privacy notice clearly states that you share information with a third-party(s) and what the purpose is. You will also want to get assurance from the processor that they have adequate security measures in place to protect the confidentiality, integrity, and availability of the information you are sharing. 

-Bill






18.  RE: GDPR Preparation?

Posted 5 days ago

Thanks, Bill. That's super helpful. Do you know if Facebook has any language about how they handle email addresses that organizations upload for the purpose of creating custom ad audiences? Our organization is in the U.S., but we'd like assurances that the info will be used only for the purpose of targeting our ads and that Facebook won't retain the info in perpetuity.



------------------------------
Judy Freed
Marketing Strategist, Alliance for the Great Lakes
Co-Organizer, NTEN Digital Advertising Community
Chicago, Illinois
------------------------------



19.  RE: GDPR Preparation?

Posted 5 days ago
Hey Judy,

I am glad you found that information helpful.  Facebook is an interesting subject, especially over these past weeks.  I have a couple of pieces of information to share with you but I have to state, I do not think this will fully answer your question.

  1. Here is the link to Facebook's updated privacy policy - Data Policy.

    1. I have not read this but I did a quick find for email which returned two references.
      1. The first, was in a note about reducing the data developers and applications can request to include (not exclude) email.
        "Note: We are in the process of restricting developers' data access even further to help prevent abuse. For example, we will remove developers' access to your Facebook and Instagram data if you haven't used their app in 3 months, and we are changing Login, so that in the next version, we will reduce the data that an app can request without app review to include only name, Instagram username and bio, profile photo and email address. Requesting any other data will require our approval."

      2. The second,  was about the information they share with advertisers and in this instance email was excluded.
        "We provide advertisers with reports about the kinds of people seeing their ads and how their ads are performing, but we don't share information that personally identifies you (information such as your name or email address that by itself can be used to contact you or identifies who you are) unless you give us permission. For example, we provide general demographic and interest information to advertisers (for example, that an ad was seen by a woman between the ages of 25 and 34 who lives in Madrid and likes software engineering) to help them better understand their audience. We also confirm which Facebook ads led you to make a purchase or take an action with an advertiser."

  2. techcrunch.com published this article https://techcrunch.com/2018/04/17/facebook-gdpr-changes/ on their view of Facebook's new privacy policy.

Hope this shed some light on the subject for you.

Thanks,
Bill

------------------------------
William Rankin
Manager, Compliance Services
571.405.5378
wrankin@networkats.com
------------------------------



20.  RE: GDPR Preparation?

Posted 2 days ago
When you upload emails to create a custom audience, you don't actually transmit email addresses to FB. Instead, before the data leaves your browser, it gets hashed. Hashing means taking the data you provide and converting it via algorithm in a manner that makes it impossible to reverse-engineer. In other words, you're giving FB a meaningless set of data that it can't turn back into email addresses. FB, in the meantime, has collected and hashed many emails from many people, using the same hashing algorithm. Basically, they compare the hashesy you provide with the hashes they have stored. Any matches are added to your custom audience. Then, all the data is deleted.

https://www.facebook.com/business/help/112061095610075

This methodology doesn't mean the hash data isn't covered by GDPR, or doesn't count as personal data. Rather, this approach is consistent with good practices for making data anonymous or semi-anonymous. Fortunately, Facebook participates in the Privacy Shield program, so presuming you have permission from your users to use their data in this way, and you have acceptable reasons for doing so, the issue of transferring data to Facebook shouldn't be an obstacle.

https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC

------------------------------
Isaac Shalev
http://www.sage70.com
Stamford CT
@Sage70
isaac@sage70.com
------------------------------



21.  RE: GDPR Preparation?

Posted 2 days ago
Thanks, Isaac. That's exactly what I was looking for. Facebook doesn't make it easy to find!

------------------------------
Judy Freed
Marketing Strategist, Alliance for the Great Lakes
Co-Organizer, NTEN Digital Advertising Community
Chicago, Illinois
------------------------------



22.  RE: GDPR Preparation?

Posted 2 days ago
My pleasure! I needed to use Google to find it myself.

------------------------------
Isaac Shalev
http://www.sage70.com
Stamford CT
@Sage70
isaac@sage70.com
------------------------------



23.  RE: GDPR Preparation?

Posted yesterday
Here's another good resource: GDPR for Nonprofits, a presentation @Lynn Labieniec and @Rosa Del Angel gave a 18NTC. I wasn't able to attend the session, but the collaborative notes and the slide deck are clear and chock full of info.
​​

------------------------------
Judy Freed
Marketing Strategist, Alliance for the Great Lakes
Co-Organizer, NTEN Digital Advertising Community
Chicago, Illinois
------------------------------



24.  RE: GDPR Preparation?

Posted yesterday
Thank you for this fantastic thread and resources.

------------------------------
Elizabeth Mace
Director, Online and Social Media Strategy
Volunteers of America
Alexandria, VA
------------------------------



25.  RE: GDPR Preparation?

Posted yesterday

Thanks for all the great info! I can report that our email service provider is cracking down on permissions issues and I think we'll see more of that in the days to come. Twitter announced this morning that they will be releasing new terms on May 25. It's good to see that things are happening. When I started this post back in January, I felt like a voice in the wilderness!



------------------------------
Mary Gaughan
FSG
Boston, MA
------------------------------



26.  RE: GDPR Preparation?

Posted 12 hours ago
​I was also unable to attend this session but a huge THANK YOU to the presenters and those taking the notes. (yeah, that was a shout. Maybe a shout-out)

------------------------------
Grace Barry
Director of Information Technology
Family Service League
Huntington, NY
------------------------------