The General Data Protection Regulation (GDPR) is a new EU Regulation that took effect on May 25th, 2018. The regulation seeks to protect EU residents’ personal data. It creates a number of compliance obligations for organizations that process the personal data of EU residents. Salsa provides for GDPR related assurances in its Terms of Service. But you need to edit your page templates and install some customized code to comply with GDPR.
The first question you should ask yourself is whether you need to bother. GDPR is only important for groups with a lot of EU supporters on their email lists. This medium post explains more
But if you decide it’s essential, and are ready to take on the additional work and impacts to supporter experience — PowerThru is here to help.
We built a functioning GDPR compliance system for our client The US Campaign for Palestinian Rights, and this post will walk you through the details on how it works. Check it out here – just select an EU country from the drop down to see the GDPR compliance text toggle on and off.
If you don’t want to sweat the details – just send us an email: our GDPR compliance tool for Salsa starts at just $750 (you’ll also need an up-to-date Page template).
In partnership with Salsa we have identified 4 major areas of compliance:
- Full disclosure/Active consent during opt in;
- Request to know what data has been collected; Access to that data;
- Right to be forgotten; and
- Audit trails.
Full disclosure/Active consent during opt in
GDPR requires Users be told what communications channels they are opting into, and have the opportunity to opt out of those at any time. You can no longer (for EU supporter) simply add a disclaimer like “by taking this action you will be opted into our list of supporters, and agree to receive updates on our campaigns”. You need to have an affirmative check box (we suggest a radio button or toggle) to opt in to communication. You also need to allow users to individually consent to each use of their data — i.e. separate checkboxes for email, SMS, postal mail, etc. See more on this here.
What has been collected? How can it be accessed?
As part of GDPR, supporters have the right to request access to the information that has been collected about them by the organization. Since our solution involves adding all this info via custom fields in the supporter record, it’s easy to run reports and answer these questions for donors. As part of the package, we’ll set up 2 basic reports that track GDPR compliance:
- A dashboard report that counts supporters by country, with sub-counts for opt-in to each communication channel.
- And a report that lets you enter an individual supporters email address and quickly report on their individual communication preferences (for handling incoming requests from members and supporters in the EU).
Rights to be forgotten, to rectify and to restrict
Supporters can request to be forgotten by an organization. This means that the organization is obligated to remove any and all personally identifiable information (PII) stored about that supporter if the organization has no other legitimate reason to retain the data. You can already remove any supporter record in salsa through the supporter module, but as part of our package we also customize your unsubscribe and opt-in pages for EU supporters to allow them to opt out of only SOME communications (for example, no texts or no calls) but not ALL communication.
Organizations subject to the GDPR should maintain an audit log of all interactions where a supporter asked to opt in or opt out, requested access or changes to their information, asked to be forgotten or to have processing of their personal data restricted. Your Salsa account already records each action, and once we install the custom tracking fields will include each opt in as well.