How your advancement team needs to handle GDPR compliance
If your organization deals with customers/clients/alumni who reside in the European Union (EU) or The European Economic Area (EEA), you might already be aware of GDPR.
What is GDPR?
GDPR (General Data Protection Regulation) is a data privacy law that was enforced by the EU on 25th May 2018.
An iconic move that shook the internet, GDPR was introduced to unify all EU member states’ approaches to data regulation, ensuring all data protection laws are applied identically in every country within the EU. It protects EU citizens from organizations using their data irresponsibly and puts citizens in charge of what information is shared, where, and how it’s shared.
Why are we talking about GDPR?
Complying with GDPR is vital. GDPR binds organizations to implement new rules and regulations that define the way personal data is collected and used. Any business found not abiding by the rules could be charged fines of up to €20 million or 4% of the company’s global annual turnover, though the toughest fines will be reserved for the worst data breaches or data abuse.
According to a recent research report published by TrustArc, only 20% of companies have fully completed their GDPR implementations.
Do non-EU colleges and universities need to worry?
On the face of it, GDPR only affects EU countries, but the law is more complex than that. Even if a school doesn’t have an established presence in the EU but its data subjects reside anywhere within the EU, the school is liable to comply with GDPR. For instance, any non-EU based college or university storing and processing personal data of alumni who could potentially live in the EU region are subject to GDPR. So yes, it is always safer to be GDPR compliant even if your organization is not based in the EU.
How do I ensure our advancement operations are GDPR compliant?
For a better understanding of whether or not your advancement operations is GDPR compliant, let’s delve deeper into these 3 segments:
1. Understanding Personal Data
2. Keeping your alumni informed
3. Tracking all forms of consent
Understanding ‘Personal Data’
Under the current EU Directive on Data Protection, and the existing UK Data Protection Act, personal data is broadly defined as:
Any information relating to a living, identified or identifiable natural person.
While this can be quite vague to decipher, here’s a detailed infographic on what personal data with respect to your alumni means:
Now that we’ve gone over what data is protected under GDPR, how do you ensure that you’re protecting the rights of your constituents and complying with GDPR?
Keeping your alumni informed
The first and foremost step is to create a Privacy Notice, accurately describing the nature of personal data that you store, why you need to store it, how it’s used, and where and when this data will be shared with third parties. This Privacy Notice must be shared with all alumni, staff, and your mail recipients. Keeping your alumni up-to-date about how their data is being used is vital not only with respect to GDPR but also, to maintain a lasting relationship.
Tracking all forms of consent
To safeguard your organization from any penalties, it is advisable to hold records of all opt-in activities of your alumni. Each time any form of personal data gets collected from alumni, they are asked to opt-in or consent to share this information by either typing in their email, name, card details, or more. Keeping a repository of records that prove that alumni’s consent was obtained by you, is a practice you should adhere to.
Almabase as a data processor for your constituent data is GDPR compliant. Before purchasing any software solution that deals with your constituent data, make sure you check whether they are GDPR compliant.
Your constituent data is an asset to your organization. While GDPR is accelerating the need to comply with standards, you would be well served by seeing this as an opportunity. It is an opportunity to show your constituents that you recognize this responsibility and care about their data. This is an opportunity to foster stronger bonds with their constituents.