Podcast: Should your nonprofit be worried about GDPR and online privacy?


Ochen Kaylan, Senior Developer at Advomatic and attorney, is passionate about online privacy. In a recent podcast with our sister agency, Big Duck, he discusses how to store and manage your donors’ and clients’ information, when enough information is enough, and how your own information is being used. 


Sarah Durham: I’m Sarah Durham. Advomatic is an agency that has been building and maintaining websites for nonprofits, labor unions, universities, and government agencies since 2004. Their client list includes the ACLU, Stanford University, Disability Rights Florida, the Brennan Center, and many, many other awesome organizations. Big Duck is partnered with Advomatic for years. We’ve worked with organizations together like Corporate AccountabilityKeshet, the ADL, and many others. In 2019 we formalized that partnership when I acquired Advomatic, so I’ve gotten to know the staff there who are all expert web developers and project managers really well as you can imagine.

Advomatic is really special because much of what they do is support nonprofit websites on a monthly basis, ensuring that sites are secure, up to date, and optimized so that that investment in building the website really lasts for the long haul. Okay, so let’s start with you just introducing yourself.

Ochen Kaylan: My name is Ochen Kaylan. I am a senior developer for Advomatic. I’m also an attorney. I’ve been an attorney for a number of years specializing in nonprofit governance and international privacy compliance.

Sarah Durham: So Ochen and I had a really interesting conversation a few weeks ago about privacy, particularly privacy online. And this is one of those places that’s kind of the special unicorn-like intersection of his experiences as both a web developer and as a lawyer. But one of the things we should do is we should disclaim that we are not giving legal advice in this podcast.

Ochen Kaylan: That’s right. I am a lawyer but I am not your lawyer.

Sarah Durham: Okay. So with that disclaimer out of the way, let’s get into this. Why are we talking about privacy? Why is online privacy an issue of concern or an issue that nonprofits should be thinking about today?

Ochen Kaylan: Well, privacy has been an issue ever since we started collecting data online, personal data, but it really became a big thing once the GDPR started to be announced. So the GDPR stands for the General Data Protection Regulation, which is an EU regulation that essentially lays out what rights EU residents have to their data. So it says that private data, like your name, your email address, your mailing address, health information, biometric information, all of that stuff that is yours to own. And so if any organization wants it, they need to play along with these rules. They need to ask their permission, they need to treat the data correctly under the regulations. And so the GDPR was enacted some years ago, but it really went into effect about a year ago. And so a number of organizations, including a lot of nonprofits really sort of had to take serious stock about a year ago of all the data that they were collecting. And in many cases, really their practices changed, their data practices, changed their marketing practices, their development practices to really follow along these new regulations.

Sarah Durham: So if you were a nonprofit organization or an NGO in the EU, GDPR is front and center. You’ve had to bring a privacy compliance officer probably into the mix. But if you’re in the US, do we need to worry about GDPR? Should a US-based nonprofit be concerned about GDPR? How is this relevant?

Ochen Kaylan: Yeah, so just because you’re not an EU company or an organization, you still need to care about it because the way the regulation works is it automatically grants EU residents these rights. And so if you have the data of an EU resident, well under international treaties, you have to respect their rights. It’s like the Geneva Convention that we all have to follow along with these roles. So if any EU resident, if they have their data in your database or in any of your documentation, anything that you collect, you have to respect these rights. Even if you are not based in the EU, even if you don’t have any EU offices, even if you don’t have any EU employees, you still have to protect the rights of the residents.

Sarah Durham: I think one of the issues you raised recently that I was very interested in was the idea that online privacy is governance issues. That even if you, as you say, you don’t have to follow a bunch of these things. You should follow a bunch of these things and you need to be informed about it. You need to understand how GDPR intersects with your organization’s work. But this is bigger than GDPR, isn’t it?

Ochen Kaylan: I think it is because GDPR really created the opportunity for a lot of organizations to think about privacy, but privacy exists far beyond what the GDPR has to say about it. So if you have data in your database, in your records, if it’s private data of a person, whether that person is an EU resident or not, you should still think about the privacy of that person. If you have a database of donors, well, if you respect your donors, you’re going to want to respect their privacy because that’s something that they care about. You know? If you think about yourself, would you like anyone who asks for it to have your email address, your mailing address, your phone number, your biometric information, pictures of you? I would assume that most of us wouldn’t like that information just shared willy-nilly. And so you have to think about that type of data that you have of your donors, of your audience, of your community, whether you care about their privacy, independent of whether you have any obligation under the GDPR.

Sarah Durham: It’s an interesting dilemma because certainly when you put it in those terms, you know, you can see how any nonprofit would say, well yeah, I hear you. I don’t want to capture all this stuff or store all this stuff if I don’t have to. It doesn’t sound right. At the same time, there is definitely this best practice out there. Particularly I think in the fundraising world about knowing as much as you can know about the people you’re trying to communicate with so that you can communicate with them and more personalized ways. You can give them a robust experience online. You can really make them feel understood. You can send them segmented messages. How do you reconcile those things?

Ochen Kaylan: Yeah, that’s absolutely right. And you had a podcast episode just a few episodes ago about what customers are coming to expect from the companies that they interact with. You know, whether it’s Starbucks and you expect them to know your order when you walk in, and it’s the same thing that people are going to interact with nonprofits more if they feel tailored to, if they feel talked to, that they’re seen by the organization as a person and not just a line item in a database somewhere or a spreadsheet somewhere. So there’s definite benefit in knowing as much as we can. There’s similar benefit in respecting those people as much as we can. And so it is a balance. It’s trying to figure out what can you collect? How do you have to collect it? Are there special things you have to keep in mind as you’re collecting it?

Are there ways that you could reflect back to those individuals? Okay, we know that we’re collecting this private data, but we also respect you. We respect your data. Here’s how we’re going to treat your data. Here’s how we’re going to treat you.

You know, in some cases there’s just that transparency that’s needed to be able to get the information, but also be really clear to those individuals that they’re not giving it for nothing, that you’re going to treat it well, you’re going to treat them well, and they’re going to get the services that they want.

Sarah Durham: Where should a nonprofit start with all of that? I mean, that sounds great, but if I am a nonprofit communicator who’s busy and I manage the website, but I am also managing a million other things, where do I start? What’s my first step?

Ochen Kaylan: Yeah, there’s a carrot and a stick here. So we’ve been talking about the carrots of, here are the reasons why it’s good for you to think about it, but there is the stick of you might have a legal obligation to care about it and so if you don’t have the time or the resources to do it, it may just need to be a higher priority because you might be exposing your organization to legal liability. It’s also not just the GDPR. First there are other regulations, California has a privacy regulation. There’s a new e-regulations that are coming out, so the GDPR isn’t the end of all compliance, but we’re also seeing more often for example, granting organizations whether you have to comply with GDPR or not, some granting organizations are just requiring all recipients of their grants to comply with data privacy in a particular way.

So even if you don’t have a legal obligation to, you might end up harming your organization by not doing this because it might limit who they can work with, who the organization can get money from, other partners that you can partner with. Sometimes partners just require this and if you don’t do it, you can’t play.

Sarah Durham: Seems like the first step here is get some good advice about privacy compliance. Is that a lawyer? Who is that?

Ochen Kaylan: The easiest thing to do is to talk to a lawyer, have your counsel work with outside counsel if they need on data privacy issues. This is a growing specialty and so there are attorneys that specialize in international privacy issues. Often you might not have an attorney, you might not have inside counsel, you might not have outside counsel that you work with regularly and you need to start working on this right away. And so one of the first things you can do is just start documenting, documenting all the data that you have. How do you keep it? How do you get it? How does it get into your system? What do you do with that data? How long do you hold onto it? Who do you share that data with? Whenever you work with an attorney to work out these issues, that’s one of the first things they’re going to need to know is: What’s the data we’re actually talking about?

And so you can start that work without a lawyer. Just start doing that audit. The next thing that you’ll end up doing is figuring out how to build good policies around that, how to build a good data retention policy, how to build a good data security policy, and then eventually you’re going to reflect that back to the users. So you’re going to create a privacy policy that you link to on your website. When you create a new form, you’re going to put the privacy on that form. You’re going to start thinking about how you collect data that way. And certainly working with a privacy lawyer is going to make that a smoother process. They’re gonna be able to direct you in the right direction, but if that’s just not available to you, you can still take steps. You can still document, you can still create these policies. You can still reflect that back to the users.

Sarah Durham: You know, I’m thinking about why this is such a challenging issue for people to tackle. And as I’m listening to you talk, I’m thinking about how there is a huge piece of this work that really lives in operations. It’s about the organization’s fundamental operations and practices that transcends beyond communications. But then there are a lot of tentacles that reach into communications and so far in this conversation, a lot of the recommendations you’ve made have been recommendations or thoughts that you have to be an expert in this topic to make. But you don’t necessarily have to be a communications person to act on, an operations person might act on it. The last part of what you just talked about though is really communications specific. To be able to put a privacy policy on the website to be able to adapt forms on your website. That’s the work of the communications person. So if the person listening to this podcast is a communicator, hopefully who’s got some partner on the operations team or maybe outside counsel or somebody who can help them with the policies and the practices, what are the top things that communications person should do, particularly on their website, to be thoughtful about the way data is captured and used on the website?

Ochen Kaylan: Yeah, so there’s a lot in there. So first you’re right that it’s not solely an operations issue, it’s not solely a communications issue, it’s not solely an IT issue. Typically the solutions here come through collaboration of all those departments and that can sometimes be the most difficult part is you often have one department who wants to limit the collection and another department who to sometimes over collect. And that’s a really difficult thing. There was also another podcast episode that you had about the difficulty sometimes between communication teams and development teams, and if you add in a third team, the IT team, all of the things discussed in that podcast definitely apply here. But you’re right that eventually when all of this has worked out, it’s conveyed to the communications department’s job to figure out how to reflect that back. And it’s also, it’s that job of reflecting it back where so many of the gains can be had because when you have that conversation with the user of, we would like this information, but we want to show you that we respect you and that we’re going to take this seriously and we’re going to protect your data, that has an opportunity to establish and to deepen the relationship that the organization has with that individual.

And that is all about what the communications department does. And so it can be this difficult thing on the back end to get all of this stuff between all of these departments working and to have, you know, sometimes these very long strange conversations with the attorneys. But eventually what this comes back to is the organization and the user having that conversation of- We would like this information, here’s how we’re going to use it, here’s what you’re going to get from it. And that has the opportunity to really strengthen and to deepen the relationship that you have.

Sarah Durham: You know, it seems like at the end of this journey, your relationships are going to be better, your website is going to be better. And it’s sort of a question of when and how, whether it’s the carrot or the stick people dig in and go for it. Ochen and I also recorded a meeting or a kind of an informal webinar, which is going to be posted on the Advomatic website and I’ll link to it in the show notes. If your organization is trying to tackle these issues and you’d like to hear a little bit more from Ochen, that’s a great place to look. And I encourage you to dig in there for starters. Ochen Kaylan, thank you for joining me.

Ochen Kaylan: Thanks so much for having me.