There are tons of posts and articles out in internetland right now on GDPR. And for good reason, since it has the potential for affecting so much of what we do online.
For anyone living under a rock (or maybe just avoiding the pain of dealing with it), GDPR is the European Union’s (EU) new data law meant to protect the privacy of anyone located in the EU (notice I didn’t say ‘residents’ or ‘citizens’?). GDPR stands for “General Data Protection Regulation” and is meant to dictate how you can collect and store the personal data of people in the EU.
For reference, here’s a current list of countries that are EU members.
GDPR went into effect on May 25th. But I KNOW some of you have not read up on it yet. And I KNOW that even if you have, there’s still a group of you who haven’t taken any action. So despite the fact that lots was written on this before the law took effect….
I’m writing this now as a special gift to all my favorite procrastinators. You know you who are.
This is your loving nudge to help get your act together.
At this point, you may be thinking “I’m not in Europe so why do I need to worry about this?”
Because the law still affects anyone residing in the EU who you either do business with (which could be guest artists, contributors, etc.) or anyone you market to (patrons or donors located overseas).
Do you have an email newsletter for your nonprofit? Then I guarantee that this law affects you.
I’m not going to beat a dead horse with this one because there are lots of good articles out already on what GDPR is and what you should do about it (scroll down to the bottom of the post for recommended reading).
But what I am going to do is give you a few bullet points to highlight some areas arts nonprofits definitely need to be aware of. And I’m following that up with a 3 To-Do actions you can take this week to get ready.
Whats Arts Nonprofits Need to Know:
This affects you if your organization has ever…..
- Sold a ticket/art item/auction item/whatever to someone in the EU
- Accepted a donation from someone in the EU
- Worked with a guest artist/gallery contributor/partner of any kind who is an EU citizen
- Sold anything from your online store to a person in the EU
- Sent out an email newsletter or digital communications of any kind to a list that includes people located in the EU
The data they are interested in include names, addresses, emails, IPs, social security numbers, and location data.
All data from people located in the EU at the time in which you interacted with them, who have not re-consented by May 25th, was supposed to have already been deleted from your records.
Yikes…. If you haven’t done anything yet you need to drop everything and start looking through records because you’re already in violation.
3 Must-Do Actions to be Compliant with GDPR:
#1 – Delete EU records
Go through your donor database, guest artist files, sales records, and anything else that contains information of people you’ve worked with or marketed to. Identify EU citizens and/or people who you know or think were in the EU during your interaction. Since you are late to the party here, you must remove their information. Bummer. At this point you cannot contact them to get consent.
#3 – Make sure you have systems in place moving forward to always obtain consent
Ok, this one involves a little legwork on your part. You are going to need to update email newsletters, marketing emails, digital ads, email opt-ins on your website, disclaimers when someone purchases a ticket or makes a donation, etc. These can be simple, but you need to cover your bases and make sure there’s one everywhere you could come into contact with serving, working with, or marketing to anyone located within the EU. Make sure there’s info detailing what data you collect, what you use it for, and how they can opt-out/unsubscribe/request their data.
You may be saying that your audience is local or that certainly no one outside the US would be interested in signing up for regular communications.
But if you don’t have a way of actually preventing non-US residents from signing up for digital communications, they you MUST still put some measures in place
I hope this helps and if you’ve avoided becoming GDPR-compliant until now, please take some action today to get started on this. Don’t let your nonprofit be found in violation, because you could be slapped with some hefty fines and penalties as a result.
Want to make sure you’re in compliance with your digital marketing? Get my Swipe File with some language you can use on newsletter opt-ins, emails, and donation pages for you to copy & paste. Please also run this language by your organization’s legal counsel to make sure it covers all your bases. You may need to add or change some of the wording!
Other Links to Great Reading Material on GDPR:
Read this article from Adaptistration if you are an arts NPO (and specifically an orchestra)
Read this article from Amy Porterfield if you are worried about how it will affect email marketing & newsletters (NOTE: She says this one’s for entrepreneurs but it’s so packed with good info, ignore that and read it anyway).
And this one from the Nonprofit Times with some really good, general information for all nonprofits to consider