The General Data Protection Regulation (GDPR) is a new EU Regulation taking effect on May 25th, 2018. The regulation seeks to protect EU residents’ personal data. It creates a number of compliance obligations for organizations that process the personal data of EU residents. Salsa provides for GDPR related assurances in our Terms of Service and we have also created a number of helpful functions within the Salsa system for organizations who have determined that they must be GDPR compliant to assist such organizations to comply with GDPR as related to the personal data of EU residents processed by customers in the Salsa system. This document provides an overview of those functions.
Should you choose to use the capabilities within the Salsa platform, the Salsa platform alone does not make you GDPR compliant. These functions will need to be used in conjunction with changes to process, record keeping, and other activities within your organization. GDPR compliance comes with additional work effort and possible impacts to supporter experience and conversion rates.
This document is not meant as a comprehensive resource for GDPR, nor is it intended as legal advice. You should consult with your own legal resources to find out if the GDPR is applicable to your organization's data processing activities.
For our purposes, we have broken GDPR compliance related functionality into a couple of major categories as related to Salsa’s platform. We have categorized these as:
- Full disclosure/Active consent during opt in;
- Request to know what data has been collected; Access to that data;
- Right to be forgotten; and
- Audit trails.
We will now walk through each of these areas at a high level in terms of complying with GDPR on the Salsa platform. For more detailed instructions, we are preparing help documents which will be available soon through Salsa’s Knowledge Center.
1) Full disclosure/Active consent during opt in
Salsa has provided the ability for customers to obtain active opt in consent from supporters for data processing activities where consent is the basis for the processing. Group opt-in boxes on submission forms are not pre-checked so that, consistent with GDPR requirements, supporters must affirmatively opt-in to the group. This includes allowing supporters using the Salsa system to explicitly choose EACH communication method by which they consent to being contacted for direct marketing purposes by providing separate opt-in boxes for each of for each contact method, such as email, phone, direct mail, text, and social media channels.
Under GDPR, supporters must be able to withdraw consent as easily as they were able to opt in, and at any time. Salsa provides all accounts with a publicly accessible page for supporters to remove their consent.
Organizations will be required to notify supporters that their data will be leaving the EU for storage, processing and use within the United States. Such notices or links to such notices can be placed on Salsa supporter facing forms. Organizations will also be required to notify supporters about their privacy practices. Salsa allows customers to present notices to supporters on various forms, which may link to comprehensive notices provided by customers if customers so choose. Customers may also choose to link to Salsa’s privacy notice, available here, if customers wish to make such information accessible to supporters through the forms
Organizations will also be required to notify supporters about their privacy practices.
2) What has been collected? How can it be accessed?
As part of GDPR, supporters have the right to request access to the information that has been collected about them by the organization. Salsa provides a tool for campaign managers to retrieve the comprehensive list of information that has been collected and stored. Campaign managers can then deliver that data to the supporter in question.
3) Rights to be forgotten, to rectify and to restrict
Supporters can request to be forgotten by an organization. This means that the organization is obligated to remove any and all personally identifiable information (PII) stored about that supporter if the organization has no other legitimate reason to retain the data. In order to allow compliance and still maintain data integrity for items like donation amounts and counts, Salsa can help clients comply with supporter requests to be forgotten by replacing all the PII in the databases with an anonymous value. Transactions that have occurred will still have amount, date, and other transactional data, but will not be tied back to an identifiable individual. All custom fields and notes will be deleted for the supporter as well. This approach enables organizations to meet their GDPR obligations without sacrificing data integrity for important information such as funds raised by time period.
Campaign managers may also revise supporter data to make corrections requested by supporters.
Salsa will also work with customers to fulfill any requests its customers may receive to restrict processing of the data. While the Salsa platform cannot operationally segregate the data of a particular supporter on the Salsa platform, we can help facilitate the transfer of a supporters data to a separate system and stop processing it on the Salsa platform.
4) Audit Trail
Organizations subject to the GDPR should maintain an audit log of all interactions where a supporter asked to opt in or opt out, requested access or changes to their information, asked to be forgotten or to have processing of their personal data restricted. Salsa offers functionality to create this audit log.
Organizations must inform the supporter about the action taken in response to their request to opt out. Clients can use the Salsa platform to create unsubscribe (opt out) landing pages to communicate the actions taken upon receipt of their request.
If you determine that the GDPR applies to your organization, we invite you to leverage the functions in the Salsa system described above as one part of your overall GDPR compliance efforts. However, there are many more aspects to GDPR compliance and we encourage you to seek professional advice to 1) determine if GDPR applies to you and 2) how to implement any required compliance initiatives it if needed.