Does this sound familiar? Your organization is hosting an event. The first step is to make an invitation list. You look at your array of databases — one for newsletters, one for donations, one for events, and maybe even an old Excel spreadsheet that lives somewhere on your cloud-based share drive. You compile all the pertinent personal information for invitees from these databases into another Excel sheet, upload it to your newsletter database, and send out an email invitation.
So, what have you done wrong? Where to begin?
You manage too many databases
If you’ve been paying attention, you already know that the European General Data Protection Regulation (GDPR) goes into effect on May 25 and your organization’s failure to comply can result in large fines. One major component of the GDPR is that all organizations must provide clear explanations to any constituent residing in the European Union (EU) on how their data is being processed and stored.
Ask yourself: when attendees register for your events online, do you explain that their personal data will be transferred to your newsletter database for communications related to the event and future events? Do you explain that it will be saved in an excel sheet on a cloud-base share drive for tracking purposes going forward? Do you explain to your online donors that their information will be added to other databases to track communications and events? If not, you are in breach of the GDPR.
It is common for nonprofits to use numerous online database systems, or in GDPR terms, numerous data processors. Each popular vendor usually specializes in meeting one of your needs. EventBrite, for example, collects and processes attendee information on your behalf, the data controller. However, their email component is not easily customizable, so many opt to send event-related emails through another data processor like Constant Contact.
Many think that they have done nothing wrong in this situation, because they are only adding personal information to the newsletter database to send emails about events and no other communications. It seems harmless, but moving personal data from one database to another without the user’s permission is a clear violation of the GDPR, no matter what.
What else should you worry about?
You’re storing personal data you should not be
GDPR rules affect how you store personal data well after your event ends. As stated above, EU residents need to know how their data is being processed and stored. As a data controller, if a constituent in the EU comes to you and asks how their data is being stored, you must provide a copy of all the personal data your organization has stored and why. Under the “right to be forgotten” rule, an EU resident may request that their personal data be removed.
These rules stretch across all of your databases, including the event database, even if you don’t move any personal data from that platform. A huge selling feature of many online event data processors is that they store attendees’ personal data for as long as you use the service, and of course any organization would want that. It’s free market research. With enough data you could identify a constituent’s favorite events, the subject matter they’re most interested in, their preferred time of year to attend events, etc.
Though storing your attendees’ personal data makes your job easier in some ways, it’s not taking personal data security into account. Under the GDPR, you must make it clear when anyone registers for your event that their data will be stored on the event database and any other database you plan on adding it to. If they do not agree to have their personal data stored after the event, you must remove their data from all relevant databases.
Even if weeks, months or even years go by and an attendee asks you how their data is being used, you must tell them exactly where their data is stored and how you use it. They can request to have their data removed at any time, and you must oblige.
Rethink your databases to address the GDPR and data security
In the above scenario, the GDPR is making a bad situation worse. It’s not enough to explain your data collection and storage policies in the fine print every time you collect personal data. Under the GDPR, the print can’t even be fine anymore. You need to assess your databases and get organized.
Using a different data processor to collect personal data for each specific scenario is sloppy and increases your chances of making mistakes. Too often event databases are set up with an individual employee’s email address, and once they leave, the organization is left scratching their head on how to access data they are responsible for as data controller. Even if you keep track of all of your databases, one proactive employee might store data improperly with the best of intentions and end up compromising your GDPR-compliant data security protocol.
With all of these databases, you’re also just creating more work for your employees than you need to. When it comes to managing data, focus on security, productivity, and now, GDPR compliance.