Advotalk: Let’s Keep This Private – GDPR, CCPA, and Other Frontiers in Nonprofit Data Privacy

Many US-based nonprofits are still wrapping their heads around data privacy. How should donor, client, and other information be captured? Stored? What counts as an opt-in? Data privacy is a hot topic in governance these days– and it’s not going away.

This conversation will unpack GDPR, CCPA, SCA, ePrivacy, and other threads of privacy and data for nonprofits. We’ll provide an overview of the landscape, what success can look like, and some digital tactics that your organization should consider implementing.

This one hour conversation took place on July 10, 2018 @ 2:30pm EST and was invitation-only for Advomatic clients.


Sarah Durham: First of all, thank you all for joining us today. I would say there are about half the people in the room today know me and know me through Big Duck or through Advomatic. I have owned Big Duck, which is a communications firm that helps nonprofits predominantly with branding and capital campaigns for 25 years. And I recently acquired Advomatic. So, those of you who’ve been Advomatic clients for a while have been getting some messages from me, but we may not have met personally yet. My jam is I am passionate about nonprofit communications. I see my job as being a support person or the pit crew for you and the organizations that you work for. And it’s just an honor and a privilege to be in a room with so many people doing such amazing work from so many great organizations.

Sarah Durham: The organizations that are on the call today are a mix of organizations that work with Advomatic, some are Big Duck clients. Some of you are both, there’re going to be a bunch of people logging in today from the ADL, from ACLU, those are both Big Duck and Advomatic clients. And this event is a first time thing for Advomatic but it’s modeled on something we’ve been doing at Big Duck for a while, which is just trying to bring together a community of nonprofit communications people to talk about a topic that is skills building. And so, the format that we have used for this in the past is we would pick a topic that we want to learn more about and maybe we have some expertise on, and we begin by laying out a little theory, giving everybody in the room something to chew on, something to think about some basis for the conversation, and then we open it up for discussion.

Sarah Durham: And the intention when we open it up for discussion is both for you to have the opportunity to ask questions, but also for you to have the opportunity to share. Because, we’re going to be talking about topics that you have probably been grappling with in your work, and we want to learn from you. So, the purpose here is not for this to be a webinar, it’s really for it to be conversational. Because we’re doing it on Zoom, it’s going to feel a little bit more like a webinar. It’s a little bit removed, but we’re not going to show you slides. What we’re going to do initially is Ochen and I are going to have a conversation, and I’m going to ask him a series of questions that I think will tee up a lot of the really important topics and meet behind this issue. But then, we can all turn on our video cameras, we can all unmute, and we can have a more informal conversation.

Sarah Durham: And as we’re going, if you have a question, feel free to chat it in, and if I see it or Ochen sees it and it feels appropriate to interject it in to the conversation on the fly, we will do that. Otherwise, we’ll save it for the end, and then I’ll facilitate a discussion today. So, just to provide a little bit of context for this, I want to introduce Ochen and tell you a little bit about why we picked this topic. So, Ochen, who you can see on screen is a senior developer at Advomatic. He joined our team in January, I think, pretty recently, has been working as a developer for a long time. But, the amazing thing about Ochen that blew my mind when I first met him, is that he is also a lawyer, and a lawyer with deep expertise in issues of privacy. And one of the things that I have been personally really struggling to wrap my mind around for really about a year now is GDPR and its implications for nonprofits. What kind of GDPR related or privacy related issues do you all need to be thinking about?

Sarah Durham: And so, I started talking to Ochen about this earlier this year, and that sparked this. So, Ochen is a lawyer, he’s an expert in these issues. Although, I think it’s important for us to disclaim that in our capacity today, he is an Advomatic employee, who is also a web developer, and that is his predominant role. So, we’re not here to give you legal advice. Ochen, how did you say it? You’re… I’m a lawyer, not your lawyer.

Ochen Kaylan: Exactly, yeah.

Sarah Durham: Yeah. So, obviously, we want you to take this conversation as food for thought, not prescriptive legal advice. But I do think you’re going to learn a lot from Ochen today. And what we’re going to do is dig into this conversation of privacy. I started thinking about privacy when something happened in the EU, in England actually, in 2015. If any of you are fundraisers, you might be familiar with a conference called the International Fundraising Congress. This is a conference that happens every year in the Netherlands. And I was at that conference in 2015, right after an incident had occurred in England. The incident was that, a 92 year old woman, who sold flowers for a living, named Olive Cooke, committed suicide. She jumped off a bridge. And after she was gone, they found a letter. And in the letter, Olive said that she had committed suicide because she felt she had been so hounded by nonprofits for gifts, for solicitations, that it actually pushed her towards suicide.

Sarah Durham: And this was causing a big media stir in London and in the EU generally. And what surfaced in the EU was a real movement about data collection and sharing. It sparked this whole conversation in England, particularly first, which spread, I think, through the EU, about what information do nonprofits own about the donors or clients that they work with? And is that their information? Should they own that information? I believe that this is a topic that is coming our way, we are going to have to deal with this in a big way, we should be dealing with this in a big way. But for a lot of nonprofits, it’s not really fully on our radars, because we have not yet had federal legislation that has forced us to have it on our radar. So, the bigger conversation here is about privacy. And as I’ve talked to Ochen, he keeps bringing me back to that, excuse me, which is helpful. But, since many people on this call are familiar with GDPR, let’s start there.

Sarah Durham: Ochen, can you just begin by telling us a little bit about GDPR and why it’s relevant for nonprofits?

Ochen Kaylan: Sure. So, as, maybe at the highest levels of the GDPR, the General Data Protection Regulation, is a regulation that EU created a couple years ago, it went into effect about a year ago. And in short, what it does is, it establishes the data privacy rights of EU residents. It’s an interesting regulation in that it doesn’t tell businesses or organizations or people what they have to do, it just says, if you’re a new resident, you now have certain rights that are codified in law, and now, it’s up to everyone else to protect those rights, basically, to conduct themselves in a way that comports with their rights. A question that a lot of U.S. organizations have, companies have is, if it is EU do have to care about it. And the way that it is structured is because it establishes rights of the EU residents, anyone who interacts with an EU resident has to protect their rights. We have international treaties that we’re going to comport with [inaudible 00:08:57].

Ochen Kaylan: So, the GDPR says that anyone who resides in the EU, and it’s not about citizenship, it’s about where the person resides, they have certain protections. They get to control their private information. They get to make sure that only people or organizations that they want to have their info, get to have their info, or get to use their info. They get rights around correcting that info, or erasing that info, or having access, just knowing what an organization has about that. Those are now all rights that EU residents have. And so, how it affects us is, if we have any data from EU residents, we then have to treat that data and that person in a very particular way. We have to be able to tell them, how we’re collecting their data, why we’re collecting their data.

Ochen Kaylan: How we’re using that data, who we share that data with. How they can see what data we have, how they can fix it, if there’s something wrong with it, how they can get us to delete it. Those are now all decisions that we need to make, so that we can support all of those rights of those EU you residents.

Sarah Durham: So, just to put a little bit more pressure on what you’ve just said, Let’s imagine I work at a nonprofit that’s on this call today, and I am a U.S. based organization. And the work that I do is focused on the U.S. So, I only intend to reach and communicate with people in the U.S. But, somebody who lives in the Netherlands comes to my website to find out some information, and maybe they fill out a form or they sign up for a newsletter, what am I on the hook for or not on the hook for, in terms of the information I capture from them, even though they’re not my target audience?

Ochen Kaylan: Yeah. This gets really wonky very quickly. The way that the regulation actually defines it is, it uses this legal term called envisaging. And envisaging is essentially, if you can imagine as the business owner or as the website owner or whatever it is, if you can imagine an EU resident coming to your site for some reason, you have envisaged it. Where this often comes down to is, let’s say your restaurant and your neighborhood restaurant, and you take reservations online. If you’re a neighborhood restaurant, the only people who come to your restaurant are people in your neighborhood, then you’re not envisaging EU residents, putting their data in your website. But, maybe your restaurant that is right next door to a tourist destination. Well, you may have the same website, the same menu, the same restaurant, whatever. But now, you expect that you’re going to get some tourists who came to the tourist destination, and then come over to your place to eat.

Ochen Kaylan: In that case, you can imagine that it’s going to happen. So, for us, that means things like, if we have, let’s say, our nonprofit has a newsletter, and the topic of that newsletter is internationally applicable, it seems reasonable that you’re going to get an international audience [for your] newsletter. So, if you’re collecting email addresses for that, well, then you might be implicated. If you serve people from your organization might just be U.S. base, but if you serve, provide services for people in other countries, in EU resident countries, or EU countries, then you might envisage it. Also, if you provide your content in multiple languages.

Ochen Kaylan: Like say, you provide English, but then you also provide your site in Spanish and in French and in German, the EU regulators say that’s enough, because you’re providing content in the native format, in the native language of EU member states. So, you don’t actually have to have a presence in the EU, is just, if you can imagine any reasonable connection, then you’re probably implicated.

Sarah Durham: When we get into this bigger conversation about privacy, I find there is a real tension that I want to put out on the table here. And its attention for, I think, particularly for nonprofits between wanting to do something that feels like it holds up the highest ethical standards for maintaining privacy, for the people who come to our site, versus the agenda that many nonprofits have around collecting names that can be used for things like fundraising or for programmatic recruitment. I want to layer into that, that we are increasingly living in this omni-channel world. Ochen and I were talking about this recently because I host a podcast called the Smart communications Podcast, and one of the people I interviewed on it recently is Alice Hendricks, who talks on this podcast about how we live in an omni-channel world, and we expect that the brands we interact with, for example, Starbucks, know who we are, know what our favorite latte is.

Sarah Durham: And when we’re in the neighborhood, we get an ad that pops up on our phone that says, “Hey, Sarah, don’t you want a half-caff skim latte?” And they’ve collected so much data about us and they’re using so much of that information, that actually, my expectation of the experience they’re going to provide for me is higher, because I expect to be communicated with in increasingly more personalized ways. But, how does a nonprofit reconcile that? The desire to capture and use data for its own good, or to create a more personalized experience for the people who visit its website with that ethical standard. What’s right?

Ochen Kaylan: Yeah, it’s a really tricky balance. I think the first thing that might be useful is to think about the mindset by which you’re collecting this information. If the goal is to get email addresses, do you go at it in the mindset of, “I am going to steal as many email addresses as I can and just at any cost necessary, I’m going to hoard this information”? Right? Or, do you approach it in the mindset of that, “I want to provide a service, I want to have a good relationship, if these are donors, or if these are just audience members”? You want to create that relationship. And to do that, that’s a partnership, you’re in partnership with your end user, or with your donor. And when you talk about Starbucks, you understand the bargain that you’re making there. You’re saying, “I get that you have my data, but I’m okay with that, because I’m going to get this new service. I’m going to get this thing, it’s going to be tailored for me, it’s going to be faster for me. Whatever it is, I’m going to get some benefit.”

Ochen Kaylan: But that’s a bargain that I get to make. And so, when you’re thinking about collecting data, do you want your data subjects is the technical term for it, do you want your subjects to be a part of that agreement or not? Do you want them to be able to make that bargain and say, “Okay, I get that you’re going to have my data, but that means that the newsletters that I get from you are going to be much more targeted to my interest, it means that the solicitations that I’m going to get are much more careful that, instead of getting 20 solicitations a year, I’m just going to get one, but it’s going to be the right one”? That’s maybe a bargain that most people take. So, it is really about partnership.

Ochen Kaylan: Now, there’s this other partnership which is often between internal competing teams. That, the IT department might say, “Hey, we have the ultimate responsibility of conforming to GDPR. So, we’re not going to let you collect information.” And the marketing team or the development team might say, “Well, this is how we do it. We can’t really do our work without doing it.” And that has the potential of setting up a difficult relationship. Where, your intention and you’re just fighting with each other. It doesn’t have to be that way, right? That can also be a partnership where the marketing team or development team can go to the IT team and say, “Here’s the outcome that we are hoping for, here’s the way we normally get it. Can you help us figure out how to get this in a way that comports with the GDPR, and also gives us the outcomes we need?” Most of the technical people or the privacy officers that I know, would love to have that conversation. They’re very, very open to that conversation.

Ochen Kaylan: But if it’s just about, “Hey, can I get more information?” Privacy officers, their default answer tends to be no. So, it’s also about that internal partnership as well.

Sarah Durham: I mean, it’s interesting even hearing you use the term privacy officer, I’d be curious to have the people on this call chat in if any of you have a privacy officer. In my experience, most nonprofits don’t, which begs the question, who is really accountable for making sure that privacy is managed appropriately and is in line with regulation? If you do have a privacy officer at your organization or you’ve heard of an organization with one, please chat it in. And I wanted to circle back, actually, to something you talked about. Because, part of what you’re talking about is regulation and the importance of adhering to regulations where there are clear practices like GDPR. There’re a couple of other types of regulations that are out there, that you and I have spoken about and more that are on the horizon. So, let’s take a step back and say, even if an organization feels GDPR is not relevant for them, what are the other types of regulation that should be on a nonprofit’s radar right now?

Ochen Kaylan: Sure. I’ll first answer the question, and then I’ll answer a different question. In terms of the actual regulation, so, there are regulations that are coming up. California has already passed CCPA, California Consumer Protection… I’m sorry, the California Consumer Privacy Act, which many people are calling the first step of the GDPR in the U.S. Before people forget about that, nonprofits are explicitly excluded from CCPA. So, on this call, we should be okay. There are other regulations, the EU has started some follow-up regulations around payments. There’s the SCA, which is the Strong Consumer Authentication, which will affect us in terms of payments, it essentially required two-factor authentication for all payments going forward. So, now, if you have a donor who wants to send you, go to your form and put in their credit card information, there’s now an extra step that they have to go through, and potentially extra step that you have to put them through to comport with the SCA.

Ochen Kaylan: But, I think there’s a bigger question here, and that is, what’s the future of all these regulations? Is this just, we’ve got these half a dozen regulations, and that’s going to be fine for us for the next 50 years? That’s very unlikely to be the case, that these regulations are going to continue to be developed, drafted and passed. They’re also going to expand, the GDPR is already going through an expansion. There is talk in the data privacy community about the CCPA actually removing its exclusion for nonprofits. So, there’s this bigger conversation about data privacy is coming, regulations are coming. At some point in the future, if you’re not already, you will be implicated by one of these regulations. So, you get to decide how you deal with this. If your position is, “We’re going to do the bare minimum by whatever regulation is required for us, and nothing more,” then you will spend the next however many years just chasing regulations, because they change every year.

Ochen Kaylan: And it’s not going to be a great experience for you, it’s probably not going to be a great experience for your users, for your donors. You can take this other approach, which is, we recognize that data privacy is important. That, we actually respect our users, we respect our customers, we respect our donors. And one of the ways we respect them is, we show that we respect their data. That we know that their data is valuable, that we know their data is important to them, and privacy is important to them. And so, regardless of whether we have any regulatory requirements to meet, maybe we just start protecting our users’ privacy, like just as a default, we choose to do this. I sometimes talk about, there’s analog here with the accessibility issues. Where, when we started creating websites, we didn’t really think about accessibility.

Ochen Kaylan: And to the extent that we did think about accessibility, we would think, “Okay, well, maybe 0.1% of our users are blind. So, it doesn’t really make sense to cater our site to blind people, because they’re such a tiny portion of our user base, that is just, it’s not a good use of resources.” Fast forward, there started to be regulations, the ADA, but also, there was this movement in the development community and the broader digital community, that it’s not really about percentages of users, that we have an ethical, a moral obligation to make our products, our sites, our experiences accessible. Not because of the ROI we’re going to get for doing that work, but just, it’s the right thing to do.

Ochen Kaylan: You don’t want to make a site that you intentionally say, “It can’t be used by blind people, or by deaf people. Or, people with site issues.” So, we as a community made this term, where, whether our site technically under the ADA has to be accessible or not, whether we have any significant percentage of users that actually need these things, we’ve just decided, it is the ethical thing, it’s the moral thing to make our sites accessible. And as a side benefit, it actually makes our sites better for people who don’t need those accessibility issues, accessibility accommodations, just because it makes the experience better, the more you think about it. We’re in that same place with privacy, where we were starting to have some regulations that are starting to implicate more and more of us.

Ochen Kaylan: But, there’s also this growing community of saying, “It’s just the ethical thing to do, it’s the moral thing to do, to care about the privacy of our users. Their data is important, their data is valuable. We are shirking our responsibility as good stewards to just play fast and loose with their data, to treat it just as ours, to do whatever we want.”

Sarah Durham: So, there’s a lot in what you just said, and there’s two threads I want to unpack, and then we’re going to open it up for your questions, comments and sharing. If this conversation so far is sparking some questions for you, you can feel free to chat them in. I can triage that way and we can also do a little show and tell of how to ask a question in Zoom in other ways. But, before we open it up for questions, let’s say, you are an organization that does want to be best of class around privacy, for ethical reasons. Maybe you don’t have to for other reasons. What would that look like? What would happen to your website, if you were an organization that decided to really do this right?

Ochen Kaylan: Sure. In this broader conversation, I tend to think of these as privacy experience or PX, like user experiences is UX, these new best practices around PX. In my mind, they come down to five different categories. The first one is purpose limitation and it means that you only use data for the thing that you said you were going to use it for. If you get someone’s data and you tell them for one reason, then you use it for a different reason, that’s sketchy. So, purpose limitation, just use data for what you want. Data minimization, which is, only ask for what you need. If you can’t make a case of why you also need to ask for their birth date, don’t ask for their birth date, you don’t need that information. And so, to just ask for it, plays a little… treats their information like it’s for your benefit, not for theirs.

Ochen Kaylan: Storage limitation is the third one, and that is, if you don’t need the information anymore, don’t keep it, you don’t really have a reason to. So, purchase the data. The fourth is pseudonymization, which is a strange term that it’s essentially [inaudible 00:26:54] make [inaudible 00:26:59] not tied to a person anymore, then you’ve essentially severed the value of that to the person. Meaning that it’s a little safer to use if you can’t actually tie it to a person. And it protects that person, if having the data doesn’t actually identify the person. So, if there are ways that you can anonymize the data or pseudonymize the data, that’s generally a better practice. And then, the fifth is documentation. Write down what you’re doing, show that documentation to your users, say, “Here are all the places we collect your data, here’s how we use it, here’s who we share it with, here’s our data retention policy.

Ochen Kaylan: Is you actually document that and reflect it back to the users, the users are then going to know, “Hey, this organization really cares about me, cares about my data,” it reinforces that you are a partner with them. It also, as a side benefit, tends to get them to give you more of their data.

Sarah Durham: So, you just unpacked five core components that are best practices. And one of the things I imagined will do with the recording when we transcribe it is, we might even pull that out and make that a blog, I think those five elements are going to be really important, those definitions are going to be helpful. Ochen and I are also going to be recording a podcast in about a month. So, we’ll give all of you who are on this call a chance to get that content from us in a few different ways. Okay, let’s assume that some of the people on this call are excited, they’re on the bus. But, you’ve just unpacked some pretty heavy things, what are the first steps? I mean, many of the people on this call are communication’s directors, they’re COOs, they are IT people. They’re not necessarily the executive director or the CEO, who has the ability to make everything happen. Where should the people who are responsible for the website begin this journey?

Ochen Kaylan: Yeah. So, if you’re going to approach this holistically, I would say, get a data privacy audit, just so you have a real good sense of where you are, how you’re currently using your data, what issues do you need to think about. If you’re able to do that, that’s great. And that ends up becoming your roadmap for all your work in future. If you can’t do that, I say, easiest, even though, it’s not a trivial thing, the most straightforward thing you can do right away is write a privacy policy. And it doesn’t have to be this huge legalese thing, you don’t have to get all your lawyers involved. It’s great if they are, but if they’re not, that’s okay. But just write in plain English, what is your philosophy around the data? What is the data that you collect? How do you use it? If you have a sense of maybe what your data retention policy can be. It doesn’t have to be long, it doesn’t have to be legalese. Just start with that policy.

Ochen Kaylan: And then, if you have a form that someone fills out, just put a link in that form that says, “By the way, we care about your privacy, here’s our privacy policy.” That’s a great first step where you can that transparency into the organization, into the data, and start building that trust and that partnership with your users. That, you actually recognize that this is important to them. And so, not only do you get to start improving your data privacy practices, but you also immediately get to reflect that back to the users, and get the benefits that start to come from them.

Sarah Durham: Okay. So, I just want to echo back what I heard from you there and just make sure I’ve captured it correctly. So, if you want to go for it, you can conduct a privacy audit, that’s something we at Advomatic can help with, Ochen can help with that. But that’s got extra costs and involves going through an audit, and then effectively remediating what is uncovered, coming up with an action plan and implementing it, similar thing to the work we’ve done for many of you around accessibility. We do the same thing in accessibility audit, and then remediation. But, if you don’t want to outsource this, you’re saying, the first step is have a solid privacy policy, and then, I think I heard you also talk a little bit about digging into how the data is protected, right? Is the data understanding what… I mean, earlier, you talked about that a bit. Where is the data stored? What happens to it? How does it get used? That’s something that somebody who runs the website can do.

Sarah Durham: And making sure that the policy, the privacy policy that you set in place is actually what you’re doing. That every form you’ve got online is collecting data that is in line with the privacy policy, is that correct?

Ochen Kaylan: Yes, that’s a great start. They’re typically, an audit might come up with half a dozen or a dozen recommendations for things to do. Some of them have different scales and different lifts to them, levels of effort. If you’re not ready to do any of those things, the most important thing, in my mind, is just to start writing that policy and put what you can think of in there, how you collect data, how you use the data, how you store the data, when you delete the data. Maybe you don’t know those things, maybe you can take a guess. Obviously, don’t lie to your users in your privacy policy, but figure out how much you can talk about, how much you can say, and what you can do in that privacy policy to convey to your users that you care about them and their privacy. And then, put links to that privacy on your footer, with any forms.

Ochen Kaylan: There’re certainly things you do after that, figuring out how to get people to opt in to the privacy policy and all those processes, and then how you actually carry out some of those things like data retention, like anonymization. And of course, we can help with that. But if you’re not ready for that, just start documenting.

Sarah Durham: Yeah. So, there’s auditing and planning to do, but then, a lot of this is about follow through, it’s about making sure all the I’s are dotted and T’s are crossed. Okay. So, we’re going to switch it over to discussion mode. And what we’re going to try to do is bring your faces and voices a little bit more into the room with us now. So, if you feel comfortable doing so, please feel free to turn on your camera. And I would really welcome, not only if you could… you’ll see in Zoom, there is a little button that says More, at the bottom of the participant list. And it has the option for you to give a thumbs up, a thumbs down, a wave, there’s different icons. So, if you have a question you’d like to ask verbally, use a little wave symbol, and just put a little wave, and I will turn on your video and your audio for you, so you can ask a question.

Sarah Durham: While we see what bubbles up from you in terms of questions, I also have some questions for the group. My first question for you, and again, you can vote in Zoom, there’s a Yes button and a No button, how many of you have a privacy policy on your website? If you could vote yes or no, it would be interesting to see where people are coming out on this. So, some of you do, a couple of you are voting. Some of you are remaining anonymous on this topic. So, those of you who have said yes, we’ve got Brick and Brennan Center, who’ve identified as… Oh, and ActionAid has said that they do. And Center for Constitutional Rights has one, but it’s a bit dated. I’d be curious if any of you who’ve got a privacy policy have any advice or any tips or any things you’d like to share with the group, that could be good lessons for those among us who do not have privacy policies and who might need to do a little bit of work on this.

Sarah Durham: So, if you’ve got some suggestions, please, ADL does have one. If any of you want to share a tidbit about that, I would welcome that. I’m also curious if any of you have proactively tackled this issue of privacy. And if so, how have you done it? Have you done a privacy audit? Who has led that work? How is this conversation progressing at your organization? Or, is it not at all? I’ve just cleared the tab. So, if you want to vote on that, like, “Yes, we have pursued privacy proactively in our organization,” click the little Yes tab, or chat it in. If you have not pursued privacy as a proactive topic around your website or in your organization, please check the No box, and feel free to share. We’ve got some chats here that people are sending in. So, it seems like many of you do have privacy policies. But a lot of you are chatting in that they are very informal.

Sarah Durham: By the way, you can chat to me privately, if you’d like to answer any of these questions but you’re not comfortable being on record for your organization around this, because I realized this is legally sensitive stuff, you can chat me privately, I won’t reveal who you are and there’ll be no record of the chat. I don’t put, “Well, no, that’s not true, we are recording. There will be a record of chat.” But, I’m curious. The checkbox, for those of you who are asking me that, is at the bottom of the participants screen. So, have you proactively pursued privacy in your organization? Couple of you are saying no. This seems like this is an untapped topic. And I actually think it is… Ochen, I’m curious what you think about this. I wonder if this is one of those things where, if we, the nonprofit sector, don’t get out in front of this a bit more proactively and start establishing our own best practices, if the regulation will come faster, if it’ll be regulated for us. What do you think about that?

Ochen Kaylan: It’s interesting question. In this country, privacy practices are not coming particularly quickly, which is why California passed their own regulation. I think, the ADA is going to be a really good model of what’s going to happen. That, lots of organizations, including nonprofits are going to lag behind. And so, a pretty heavy regulation is going to be put in place to fix those issues. The longer we wait as individual organizations to do that, the harder it is going to be, and probably the more onerous the regulations are going to be, if the regulations actually have to deal with a community that just isn’t interested in making privacy a priority.

Sarah Durham: Okay, great. I mean, what I heard from you… I’m just chatting to somebody privately. What I heard from you is that we might have a little bit time here, that it might be coming downstream, but it doesn’t sound like you feel it’s imminent in the next year or two. So, that seems like good news, right? People have a little bit of time to get their house in order, perhaps, before it becomes a bigger national conversation.

Ochen Kaylan: I want to temper that a little. So, if all we’re doing is chasing regulations, then yeah, you’re probably, you’ve got ways off. But, your users are currently suffering, both in the offerings that we provide and also the way that we treat them, because we don’t make privacy a higher priority. So, in my mind, the pressure isn’t about regulations, the pressure is our users are demanding this. And our users are going to go away, they’re going to find other organizations to ally with, if we don’t show them that we actually care about them as individuals. That, if we just see them as data harvesting farms, we’re going to lose them far earlier than we will see regulations.

Sarah Durham: That’s a great point. I think we’re seeing that in a lot of places, people have become so much more conscious of where their data is being captured, and how it’s being used. And they were, even a few years ago. I want to just chat, I want to [fly 00:39:40] to everybody, I just put something in the chat to everyone, which is an article, a blog that Ochen wrote, that I think is very helpful with some takeaways about GDPR and privacy in general that you can share with your team. And I am not seeing anybody who wants to ask a question or share on this call. So, no, that’s okay. [crosstalk 00:40:03] did you say what?

Ochen Kaylan: Yeah, I thought Grace, I saw your hand earlier. You got it raised.

Sarah Durham: Did you? Okay, so, Grace, if that’s correct, if you want to unmute yourself or turn on your video or both and ask a question, I would love that. Anybody who’d like to ask a question, feel free to go for it. And if not, we will just wrap up a little bit early, everybody always likes to have a little bit of time. We can all go to Starbucks and get our coffee.

Ochen Kaylan: You already know we’re coming.

Grace Lile: I didn’t raise my hand, but I actually-

Sarah Durham: Okay, great. So, this is grace from the Center for Constitutional Rights. Hi, Grace.

Grace Lile: Hi, Sarah. I was just intrigued earlier just about the question of who is the chief privacy officer? Who owns privacy in your organization? That’s a real challenge for us because we have technology folks, we have information and data folks, we have our communication’s team, our development team, which really deal with a lot of the usual design and what’s collected and the website and so forth. So, it’s been one that’s been a little bit challenging to get GDPR compliance off the ground, just because it has 9 million other things to do, as everyone does. And then, because it’s just hard to get the sense of urgency with it.

Sarah Durham: A sense of urgency and it sounds like also alignment, right? About who’s going to steer this conversation, perhaps.

Grace Lile: Yeah, because some people, I mean, again, it just, it’s not because people don’t care about privacy, they do. But, there are a lot of pieces to it as well. It’s not just the online stuff and the collecting of… it’s having, we do have data retention policies, but we’re… until we’ve done some work, we’re definitely doing some work on that, but it is a little bit of a challenge because [ … ] also organizational and you really have to get folks to focus on something that is not their most urgent day-to-day [lives].

Sarah Durham: Yeah. So, I’m curious what Ochen thinks about that, I’m also curious if any of you have navigated that, if you have advice for Grace. Like, who should lead this dance, and how do you get people aligned and create some urgency around it. But, Ochen, what do you think?

Ochen Kaylan: Yeah. So, I heard two things, one is, how do you get everyone invested in this? But also, where the responsibility actually lies. And that it doesn’t stop one. So, I’ve worked with many international nonprofits over the last couple years in GDPR compliance, and it’s a struggle for almost all of them. Under the GDPR, specifically, if you fall into a particular category of having a certain type of data, you’re actually required under the regulation to have an independent data privacy officer. The DPO is a position that you have to have in your organization. That position typically sits pretty independently. They’re not in marketing or development or IT, they are occasionally in the legal department, but more often than not, they’re just independent position. And part of that is because of the GDPR actually requires some independence of that position. Even if you don’t have to have a DPO, that independence has ended up being pretty important for the organizations that I’ve worked with.

Ochen Kaylan: If your DPO or whoever owns that part is in marketing, marketing has a vested interest in sometimes over collection. If that person lives in IT, IT has a vested interest in under collection. And so, it’s really important to find someone, some place in the organization that can be independent and really serve as the advocate for the user. Sometimes there’s a real natural fit. Sometimes the marketing department actually approaches their work in that way. Sometimes there’s a legal department. Sometimes an op’s department can act that way. It really is pretty independent or pretty individual to the organization, but it’s where you can find someone who doesn’t have a vested interest in over collection or under collection, and then just the interest, the passion to drive that.

Sarah Durham: And if there is anybody else who wants to speak to this issue too, about how you’ve created ownership and which department owns privacy at your organization, I would welcome you to unmute yourself, turn on your video and tell us about it. Grace, did we address what you were thinking about there?

Grace Lile: Yeah, that was very interesting, because I didn’t know that about the GDPR, and that’s a really interesting perspective. I mean, I don’t know that it solves some problem… But it certainly helps me think about it. So, yeah, thank you.

Sarah Durham: I’m thinking also, for you at the Center for Constitutional Rights and actually for several of the organizations on this call, you’re an army of lawyers, basically. I mean, there are a lot of organizations on this call who are very well staffed with legal teams, which I imagine also comes with a level of, probably makes this easier in some ways for people to understand the implications, and harder in terms of navigating it. So, Ochen, you were going to say something?

Ochen Kaylan: Well, just that, for me, there’s also some hope here in that, because the DPO is a position, it’s a real position, people are starting to be trained in it. And you’re starting to have junior DPOS, and you’re starting to have this new job created. And so, it doesn’t seem inconceivable to me that in a few years, this will be a job you’ll be able to hire for. And whether the DPO sits in whatever department, may not matter quite as much as just having someone who has had some training of this, had some experience in it. And read the books that get written about the best practices for DPOs and follows the blogs or writes the blogs for, and starts to cater to this particular job. So, I think in the not too distant future, it’ll be a little easier to bring in people who have that experience or some of that background.

Sarah Durham: Although my guess is for most nonprofits, that is not going to be a full time in house position. I mean, I would imagine, at a very large institution, it might be, but in many, I could imagine it as an outsourced position with some part-time person. It reminds me, I was listening to a podcast earlier that Poppy Harlow hosts called the Boss Files, where she interviewed the CEO of Google. And one of the questions she asked him was, “Do you at Google have a chief ethics officer, who is responsible for ethics throughout Google?” And he said, “No, I believe that it is the CEO, it’s my job to be the chief ethics officer.” And I was thinking about that and I was thinking… Oh, and he said, also, everybody throughout Google should bring an ethical lens to their work.

Sarah Durham: And I said, well, it’s really easy for us to all say we are advocates for ethics. But as you talked about earlier, different departments have real objectives and agendas around things that can be something times in conflict with what is the best practice from a user’s point of view, from a donor’s point of view, from a client’s point of view. And sometimes, breaking out owning that, breaking it out and putting somebody whose primary lens is to consider ethics or consider privacy is the most effective way to get it done. It looks like we have another question here from Sofia, just about compliance when you’re doing list buys. So, if you’re buying lists or renting lists, like acquisition lists, for instance, of people you might want to reach out to via email, how do you make sure you’re in compliance with privacy there.

Ochen Kaylan: In that case, you have to make sure that the place where you are buying these lists have the right to sell those name, or sell that information. And so, if you can just, you ask them, there’s a particular form that you use for an audit, a public audit that certain organizations who has data or resell data have to do, they have to do an annual audit. You ask for their compliance, and they basically show that, “Okay, we have complied, these are legitimately legally gained pieces of data.” And if it is, then you can use it to the extent that that legal ability exist.

Sarah Durham: One thing I would just add to that, that I think is a complexity that many nonprofits have, and perhaps this is part of what’s behind the questions, that a lot of times, nonprofits will do list swaps. I’ll give you my list, you give me yours, I’ll email your people, et cetera. And I would imagine if you’re doing a list swap or a chaperoned email between different organizations, the email that you’re sending out must be compliant with their privacy policy. So, if their privacy policy says they won’t share their donors’ names or their list’s name with anybody, they really shouldn’t be letting you do a list swap or a chaperone list. Is that correct, Ochen?

Ochen Kaylan: That’s right. The presumption is that, if you have a piece of information, you are not going to share that information. So, if you want to share it, you have to have your privacy policy that people have agreed to, you’re right to share that information with partners or third parties. But you can’t do it by default.

Sarah Durham: Yeah. I think the point I’m trying to make, the nuance I think we should add to this question about list buys, is that, odds are better that if you are renting a list or buying a list from somebody who sells lists, that is their business, they have probably considered these issues. Because, the success of their business depends on them navigating compliance and thinking about privacy. You should double-check, obviously, but the odds are better. If you are getting lists from peers, from people who aren’t professionally in this business, I think the odds go up that they are probably not thinking about these issues of privacy always. Or, that you might even be talking to people who are not the same people who consider the privacy issues. So, that is definitely, that’s an issue worth digging into.

Ochen Kaylan: Definitely. And it also, it brings up another point which we only briefly touched on earlier. But I’m seeing more it and more, especially with nonprofits is, funding organizations or granting organizations, I am seeing it more and more, where organizations will require as compliance with the grant, that you’re GDPR compliant. Even if you as an organization don’t have any independent reason to be, if you’re going to comport with the terms of that grant or that funding, you end up having to be. I’m seeing that much more common, especially with U.S. nonprofits and social justice organizations. Where, they’ve had to turn down grants a couple times because they decided not to go the GDPR route, and they lost out…

Sarah Durham: So, in a smaller organization, I imagine, it might be as easy as walking across the hall and talking to your colleagues in the development team about any grants they’ve received that might have a GDPR clause. But that sounds like another place that I dotting and T crossing becomes important internally. We have about five minutes left, and we’ve got a couple of questions people have chatted to me privately and some publicly to get to in those five minutes. Before we get to those questions, I just want to flag, most of you work with Advomatic as support clients, which means, you have an ongoing subscription with us and we help you maintain your website technically. What we’re talking about this privacy audit piece today and this whole conversation of the … talk, is a new thing that we’re trying to layer in to help you get more value for that support, for that relationship you have.

Sarah Durham: So, this is the first and what I imagine will be a series of conversations that we’re going to try to bring to you, because we want to help you grow your chops as technical experts too, and create more of these kinds of forums for us to learn and share with each other. As I said at the beginning of the call, this is the pilot, we’ve never done this by Zoom before, and I’ve also included in this some other Big Duck clients and people who I think would benefit from this conversation, who don’t know Advomatic well. I’m curious to hear from all of you how this has felt, if this has been an interesting topic, if there are other topics related to your website that you think the team at Advomatic might be able to help you learn about, or you would like to share your expertise about. I hope you will email me or chat me and give me your feedback about this because I’m really eager to create spaces for Advomatic clients to grow their skills.

Sarah Durham: There’s so much going on in the tech world right now that I think we have to struggle to keep up with. So, please send me your feedback. Okay, so, question from the Brennan Center to everyone, “Does anybody have any examples of best practice privacy policies you could share?” I’m curious, Ochen if you do, or if other people on this call do, please chat in maybe a link, share a link in the chat. Ochen, how about you? Any recommendations?

Ochen Kaylan: Yeah, there is some boilerplate that tends to go in privacy policies. But privacy policies in general tend to be pretty specific to the organization. So, there are other terms of use documents where you can get 10 versions and cobble together something that makes sense for your organization. It doesn’t quite work that way with privacy policies, because, you have to actually go through your site and figure out how you’re storing your data, where you’re storing it, who you share it with, what your data retention policy is, and that tends to be pretty specific to organizations. So, we have examples to basically show the type of things that are in a privacy policy. But it tends not to be helpful when actually drafted in a policy. But we can share-

Sarah Durham: Yeah, maybe we can share some. Yeah, if you’ve got some, you can send to me, we can send that as a follow-up. I think it’s also very helpful with topics like this to look at some of the organizations you admire that you think are doing this well and read their privacy policy, you’ll see structurally what it is. Okay, we’re about at the top of the hour, thank you all for taking the time to participate. Ochen, big, big thanks to you for sharing your great depth and wisdom on this topic. I’m really eager to keep talking about this topic if other people would like to. And thank you for those who have chatted to me some comments or feedback or questions today, I look forward to hearing more from all of you and talking to you all again in the future. Have a great day.