What Canadian Charities need to know about GDPR

What is GDPR?
The General Data Protection Regulation (GDPR) has recently (as of May 25, 2018) been enacted in the European Union. It oversees how personal data is processed and increases the rights of each member in your lists. Currently, the GDPR is only relevant in the EU and individuals that live in the EU, but many speculate it’s only a matter of time before similar regulations are enacted worldwide. In the meantime, for charities in Canada, the Canada Not-for-profit Corporation Act and your provincial societies act apply as it has previously.

What is considered “Personal Data”?
Personal Data refers to any information that can identify an individual such as their name and contact information. Indeed, it also encompasses higher security information such as credit card information and criminal records information. 

Does the GDPR affect your charity?
If you have donors who live in the EU or you have charitable programs that operate in the EU, then yes the GDPR affects you. If not, it does not. If you have a some of donors in the EU, take this opportunity to reach out to them and ensure you have consent for sending them materials.

How does consent play into the GDPR?
If you are sending email and mail to your donor list, all you need to do is ensure that the user/donor had willingly signed up for your list at some point in the past. Opt in can be in the form of a simple checkbox on an online or paper form. The simplest thing to do is to go through your website form where people sign up for your newsletters and pull the data to indicate opt-in time. You don’t need to re-ask your list to opt-in again! 

Things you shouldn’t and can’t do under the GDPR:

  • Rent or sell your list of donor names to any external sales groups for extra income. This is common if you are a periodical subscription, but overall a poor practice in the nonprofit industry.

  • Don’t use your donor list to sell something unrelated to your charity or cause. It’s permissible to sell artisan goods made by the people your charity impacts, but it’s not permissible to send information about a corporate sponsors’ product. 

Things you should do:

  • Ensure you have a privacy policy. If you don’t have one, now is the time to put a document together to assure your donors that you take their privacy seriously and have internal ways to manage processing data.

  • Be extra clear on what donors are signing up for when they provide their contact information or email address. For example, in the donation process let donors know that the information that is collected is used to issue their tax receipt. Be transparent and let donors decide whether or not they want to receive your newsletter updates.

Friendly Reminder About CASL

Even though GDPR may not apply to you as a Canadian Charity, there is still CASL.

What is CASL?
CASL (Canadian Anti-Spam Legislation) was enacted to stop spam and data harvesting, and allows users to unsubscribe from unwanted email solicitation. CASL applies to all Commercial Electronic Messages (CEMs). 

A CEM is an electronic message that encourages participation in a commercial, profit-generating activity.

Good news! This means that it does not generally apply to not-for-profit fundraising!

Electronic media for which fundraising is the primary purpose need not comply with CASL. 

What activities does CASL apply to?
There are some activities that many nonprofits do that ARE considered CEMs. If you engage in any of the following, you need to adhere to CASL:

  • Soliciting for registration to your program/service
  • Selling products (i.e. goods associated with your cause, but are not for fundraising purposes “Buy these handmade crafts. Proceeds go to the makers in XYZ country.”)

Any electronic message where you are selling a product or service to users who receive something in return (a commercial transaction) MUST comply with CASL.

Solicitations solely for funds or confirming information need not comply with CASL. Here are a few examples of solicitations that generally do NOT need to comply:

  • Fundraising Campaigns: i.e. Donate to send a kid to camp!
  • Matching Campaigns: i.e Contribute to our matching campaign!
  • Notifications that a donation was received
  • Confirmation of contact information

Is the email asking for a monetary transaction? Evaluate what needs to comply with CASL and what doesn’t by asking: “Can this transaction be charitably receipted?” If the answer to your specific question is yes, you do not need to worry about CASL and vice versa.

What to do if you have Messages that Need to Adhere to CASL

Ensure all your contacts have willingly subscribed to your solicitation.
Have your recipients checked a box on your donation form or website indicating that they want to receive your emails? Is this a voluntary field? If not, you do not have their consent to send CEMs. 

Make sure your sender contact information is clear in your CEM.
CASL requires all CEMs sent to have a clear sender. Whether this is an internal staff or your executive director, you need to provide the name, mailing address, and either a phone number or an email of the sender.

Provide a simple unsubscribing mechanism.
Users who receive your CEM need to be able to unsubscribe easily without cost. Include a link at the footer of your email that allows users to unsubscribe. Their request must also be processed within 10 business days.

Disclaimer: This post is not legal advice and we’re not lawyers. While we think this post is packed with useful information, it is for informational purposes only, and Frontier is not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.