How's GDPR going for you?
Tomorrow (May 25th), the new EU General Data Protection Legislation (GDPR) will come into effect. Under this new law, European citizens will have full control over their personal data. While this is great news for individuals, it can be a big headache for companies and organisations, specially for the small and not-for-profits structures.
Next Monday (May 28th), we will have a training to start developing our plan of action towards compliance. We would love to hear from you about your experience with GDPR so far, including tips that you learned while adapting your work to the new legislation, and questions that still remain unsolved.
We are still wondering if we should send a newsletters to our subscribers to get their consent... We use mailchimp as a mailing provider and they have some new fields to collect GDPR info but I'm afraid people will just unsubscribe in bulk and we will loose most of our subscribers
That is a tricky one, Emma. We have heard different opinions on this one but after discussing it with our consultant we decided not to run an opt-in campaign mostly because the biggest part of our subscribers signed-up for our mailing list themselves and he reassured us this counts as consent (even though we are still not 100% sure the consent is stored the right way on the digital world). What we did (as you probably seen) was to add a paragraph to the top of our newsletter sent just before the 25th explaining briefly what we do with users data and to let them know we are reworking our privacy policy. We are still figuring our the GDPR fields on mailchimp and I can keep you posted on this. I am looking forward to hearing how other organisations are handling this.
Hi everyone! From Trans Europe Halles, we haven't sent that GDPR email neither. According to GDPR, there actually six grounds for collecting and processing data. And consent is only one of them. It might be worth for you to check the "legitimate interest" ground and how it operates within the frame of your own activity.
In our case, the email addresses of our newsletter subscriber are only stored or processed when they sign up for it, so we have proof of consent through the information that MailChimp collects. In any case, we are changing the whole process to signup for our newsletter soon to make the consent more explicit and provide our audience with more information about how we process data. If the case that you are interested, I am adding here a link to our new Privacy Policy and Cookies Notice.
As you can imagine, we are not legal experts or advisors, so you should not rely or act upon this information without seeking professional counsel.
Thanks for sharing TEH's experience with us, José! Wouuld you mind sharing a bit more on the process of writing the new privacy statement? Did you do it in-house or did you hire a professional to do it for you?
Hi all!
We at Dance Info Finland decided not to do an opt-in campaign for our newsletters as the majority of subscribers have already done it by themselves (to be honest, I'm not sure how I technically can find all their subscriptions that can date back many many years..). And another reason is the "legitimate interest" José from TEH mentioned, which justifies our sending out information to people that can be identified as professionals from the dance or performing arts field (or related, like the journalists) - in whose interest it is to get information about dance related matters from us. Uh, that was a long sentence!
I'll link to our Privacy Notice we made ourselves (a bit of copying from others). The one in Finnish is a bit more thorough.
We still have to update the subscription forms to our newsletters, haven't done that yet. Will be adding there a link to our Privacy Notice + information about what we do and don't do with the information asked in the form + consent for receiving information about professional dance related affairs.
The subscription form will also be updated into a double-opt-in one - meaning that you will have to confirm your subscription with a link that you get to your e-mail before you are added to our lists (that leaves at least a proof to us).
And one more important thing. Our CRM system (kind of a contact database) is also updated and improved so that in the future, it will be easier to prove a ground for processing personal information (consent, legitimate interest, obligations due to a contract, membership etc). Also it will be quite simple to print out all the information we have about a person when required.
And before starting this process, we went through all we have in our registers, databases, on our personal computers, printed on paper on the shelves and folders in the office that can be considered as personal information. Then we noted down why do we keep those informations, for how long, where (has to be a safe place) etc etc.
This is a huge thing to do - BUT one must keep in mind that everything you do and practices you adopt must be considered according to the risk you face with the information you have. So use your common sense. For example, we don't collect or keep dates of birth or any sensitive information about people. Mainly name, address & email. Okay, plus your title, job, organisation...
I think there have been many communication & IT businesses that have tried to cash out with this GDPR by scaring people with eventual huge amendments.
Anyway, I'm not a legal expert by no means, so this only my opinion, and just a description of what and how we decided to solve the problem in our organisation. Your situation might be different: the information you retain may be of a different quality, and the legistlation and advice you get about applying the regulation may be different in your country. Anyway, I found this one a good basic guide to the matter: https://ico.org.uk/for-organisations/guide-to-the-general-data-protecti…
All the best!