A practical guide to GDPR for non-European organizations (without all the legal mumbo jumbo)

If you’ve been overwhelmed by the stream of GDPR (General Data Protection Regulation) information, we’ll try to distill things down for you into a practical GDPR guide. We’re not lawyers, so don’t interpret this as legal advice, but we do have deep experience in the web for non-profit and education organizations.

First, you may not even have to think about GDPR. Ask yourself these questions:

  • Do you target donors/clients/students/readers, or have employees in the EU (including the UK until Brexit happens)?
  • Are you a Fortune 1000 company, an Ivy League college, or an Alexa top 1000 website?
  • Are there malicious people that will tattle-tale on you just to get you in trouble?

If you answered “no” to all of these questions, then you can stop reading now and go back to your regular mission of saving the world. Yes, GDPR technically applies to you, but it’s unlikely that you’ll be targeted for enforcement. Your resources will be better spent elsewhere.

Overarching Perspectives

If you do fall into any of the above categories, it’s important to not be overwhelmed. The GDPR is merely codifying “the right thing.” Chances are, you’re probably already doing many of these things.

However, you should know that the GDPR affects your entire organization; it’s not just about your website. Because most of the people in your organization use the contact information and other private information of individuals, the GDPR could impact everyone at your organization.

You also might not need to learn all the jargon around “data processors vs. data controllers,” “special categories,” or “material scope”. Instead there’s some simple heuristics that you can use to figure out what the GDPR rules approximately are. It all comes down to the fact that your organization does not own the contact information or private data about the people that you interact with; they do. And just like a physical object that you borrowed from someone, you can ask yourself:

  1. Did I get their permission to use it?
  2. Am I only using it for the things that they’ve allowed me to?
  3. Am I doing what I can to keep it safe (think of all the ways that it’s used)?
  4. Am I doing what I can to keep it private (think of all the ways that it’s used)?
  5. Is there a way for them to find out what stuff I’ve borrowed from them?
  6. Is there a way that they can get their stuff back from me (AKA “right to be forgotten”)?

Typical Examples

Let’s look at some of the typical things that your website is likely doing, and what your responsibilities are.

Analytics, Social Media, and Other Third Parties

If your website uses (I think every website built in the last 12 years will be included in this list):

  • Google Analytics
  • a Twitter stream
  • a Facebook “Like” button
  • Google Fonts
  • YouTube videos
  • other third-party services

then you may need to change how those services are used. That’s because you are essentially passing on your visitors’ private data to these third parties (these companies can aggregate data across several websites to create a profile about what kind of person you are, where you live, and how much money you make). However there’s a lot of debate about this. I interpret the GDPR as requiring a visitors’ consent before you load up the third-party images/javascript/etc. But some people interpret the GDPR as suggesting that you only need to update your privacy policy. We may need to wait for the courts to decide this one.

A box that appears at the bottom of the page asking the visitor to acknowledge the use of cookies.

An example of the Cookie Consent library. Only load 3rd-party tools or sensitive cookies if the visitor approves.

We recommend using the Cookie Consent library to obtain a visitor’s permission before loading these services. This library also has the option of only showing this speedbump to visitors from the EU. But that’s the easy part — the hard part is setting up these services to only load after the visitor has clicked “Okay.”

The Social Share Privacy widget first shows a greyed out "like" button and only connects to Facebook after the visitor clicks the button

Before activation this button doesn’t send information to a third party.

For social media, if you don’t want to use a technique like Cookies Consent, then there’s Social Share Privacy library that shows a phantom like/share button that the user clicks before the real thing is loaded.

Analytics is a tricky one since the whole point is to have it load immediately to track the visit.  You might consider switching to an analytics provider that can give you better assurances in your contract about how they (won’t) use your data.

For videos, if you don’t want to use a technique like Cookies Consent, then there’s the MyTube plugin that shows a thumbnail (with a disclaimer) for the visitor to click before the video is loaded.

Video from the MyTube library with a disclaimer beneath.

The MyTube library shows what looks like a regular video. But no 3rd-party services are loaded until the visitor clicks the play button.

“Contact Us” Web Forms

Here we’re mostly concerned with the perspectives of “keep it safe” and “keep it private.” There’s a few ways that you may need to change how your forms work:

  • Remember that email isn’t secure, so don’t email the full text of the form to your staff. Just a link for them to view it on the website (after logging in) is what you need instead.
  • Ensure that only the necessary people can read submissions.
  • Use HTTPS for your entire website. We’ve been advocating this to our clients for years. There’s no reason for governmental agencies, internet service providers, or malicious actors to know what people are doing on your website.

Email Newsletters

The same pointers for “Contact Us” forms apply here too. Going back to those overarching perspectives listed earlier, here we think mostly about “did I get their permission” and “getting it back”.

We all hate it when all of a sudden we start to get an email newsletter that we didn’t sign up for. This is already illegal in most jurisdictions. Now it’s illegal under the GDPR, too, because you need the individual’s permission first. But more importantly, you need permission specifically about the email newsletter. You can’t add people to your email newsletter just because they interacted with your organization in some other capacity.

If you have been involved in the previously morally ambiguous practice of adding people to your newsletter without their specific consent, you are now in a tough spot. You can’t send all your subscribers a “confirm your subscription” email, because you already don’t have their permission to send that email. Practically, that might be your only option other than restarting your newsletter list from scratch. You’ll need to make that decision for yourself.

If you have built up your existing newsletter subscribership by properly asking permission, then there’s no need to send another “confirm your subscription” email. You’ve already got permission, and sending such an email will likely lose you a good percentage of subscribers that don’t bother to click through, but will still read a future email.

The second important thing here is providing a way for people to get their information back. In this context that means not only unsubscribing from your list, but also getting their contact information removed from your database. It also needs to be as easy as it was to sign up for your newsletter; you can’t just make the excuse that they could go to your website, find the “contact us” form, and send you a message.

CRM

Everything that we’ve talked about above applies to your CRM too. Additionally, the overarching perspective of “find out what stuff I’ve borrowed” applies here. If someone contacts you asking to know what information you have about them (this should either be a dedicated form, or a category on your existing “contact us” form), then do you have a way to export all the data from your CRM about the individual?

There’s also additional responsibilities that you have around how you use your CRM, but that’s more than we can get into in this blog post.  

Cookies

Your website might use cookies to keep track of things like “this visitor has seen this message, so don’t show it to them again” or “this visitor prefers to see a list using thumbnails instead of text.” There’s nothing private or personal about this information and there’s no way to track it back to the individual — so there’s nothing that you need to do here.

But if your website uses cookies to track more sensitive information, then you’ll need to use a similar technique to what we describe above for third parties.

Privacy Policy & Terms of Service

If you do need to make changes in any of the above areas, then you’ll likely also need to make some adjustments to your privacy policy and terms of service. Dang, you’ll still likely need a lawyer to help with this.

This is a lot! I want to scream!

Don’t get overwhelmed. Rather than getting everything perfect, it’s more important to show that you’ve taken steps forward, and that you’re visibly working towards compliance.

My website does so much more

Do you have user accounts, membership log-in forms, or user-generated content? Then you’ve got more responsibilities — more than we can fit in this short blog post. Some of this may be around the way that you sanitize that information when using it internally (or with vendors like us). But we’ve worked through these things with other organizations, and we can help you work through the implications for your website.

Lastly, if you want to know more about the legal details of GDPR, we recommend a GDPR guide put out by Platform.sh.

Photo by Descrier via Flickr, some rights reserved.