GDPR compliance for Salsa classic users

GDPR compliance for Salsa classic users

The General Data Protection Regulation (GDPR) is a new EU Regulation that took effect on May 25th, 2018. The regulation seeks to protect EU residents’ personal data. It creates a number of compliance obligations for organizations that process the personal data of EU residents. Salsa provides for GDPR related assurances in its Terms of Service. But you need to edit your page templates and install some customized code to comply with GDPR.

The first question you should ask yourself is whether you need to bother. GDPR is only important for groups with a lot of EU supporters on their email lists. This medium post explains more

But if you decide it’s essential, and are ready to take on the additional work and  impacts to supporter experience — PowerThru is here to help.

We built a functioning GDPR compliance system for our client The US Campaign for Palestinian Rights, and this post will walk you through the details on how it works. Check it out here – just select an EU country from the drop down to see the GDPR compliance text toggle on and off.

If you don’t want to sweat the details – just send us an email: our GDPR compliance tool for Salsa starts at just $750 (you’ll also need an up-to-date Page template).

In partnership with Salsa we have identified 4 major areas of compliance:

  1. Full disclosure/Active consent during opt in;
  2. Request to know what data has been collected; Access to that data;
  3. Right to be forgotten; and
  4. Audit trails.

Full disclosure/Active consent during opt in

GDPR requires Users be told what communications channels they are opting into, and have the opportunity to opt out of those at any time. You can no longer (for EU supporter) simply add a disclaimer like “by taking this action you will be opted into our list of supporters, and agree to receive updates on our campaigns”. You need to have an affirmative check box (we suggest a radio button or toggle) to opt in to communication. You also need to allow users to individually consent to each use of their data — i.e. separate checkboxes for email, SMS, postal mail, etc. See more on this here.

Our solution modifies your main action and fundraising page template with additional opt-in fields for each area. Each opt in is a yes/no checkbox set to “yes” by default. We also add the existing Salsa supporter field for Country selection and make that a required field. Finally, we add a javascript snippet to your page template that finds that required country field, and identifies what it is set to. If the field is set to an EU country, we display the custom opt-in fields. If a non-EU country is selected, the fields are hidden with css, but still on the form, and instead we display a catch-all opt in like “by completing this form you agree to receive updates and communications from us by email and other methods”

What has been collected? How can it be accessed?

As part of GDPR, supporters have the right to request access to the information that has been collected about them by the organization. Since our solution involves adding all this info via custom fields in the supporter record, it’s easy to run reports and answer these questions for donors. As part of the package, we’ll set up 2 basic reports that track GDPR compliance:

  1. A dashboard report that counts supporters by country, with sub-counts for opt-in to each communication channel.
  2. And a report that lets you enter an individual supporters email address and quickly report on their individual communication preferences (for handling incoming requests from members and supporters in the EU).

Rights to be forgotten, to rectify and to restrict

Supporters can request to be forgotten by an organization. This means that the organization is obligated to remove any and all personally identifiable information (PII) stored about that supporter if the organization has no other legitimate reason to retain the data. You can already remove any supporter record in salsa through the supporter module, but as part of our package we also customize your unsubscribe and opt-in pages for EU supporters to allow them to opt out of only SOME communications (for example, no texts or no calls) but not ALL communication. 

Audit Trail

Organizations subject to the GDPR should maintain an audit log of all interactions where a supporter asked to opt in or opt out, requested access or changes to their information, asked to be forgotten or to have processing of their personal data restricted. Your Salsa account already records each action, and once we install the custom tracking fields will include each opt in as well.