Your nonprofit website needs to be GDPR compliant. Get a head-start with these free GDPR tools.

If your organization interacts with European citizens in any way, it’s important you understand what responsibilities you have to protect the privacy of those visitors and perhaps donors. The European Union will be enforcing a new regulation called the EU General Data Protection Regulation (GDPR) as of May 25, 2018.

In this article, we’ll provide a brief overview of what GDPR means practically for your WordPress website. We’ll also provide some tools you can use today to get prepared for this new regulation.

Please bear in mind that while we inform ourselves to the best of our abilities, we are not legal experts. We’re providing these tools as a way for you to have a head-start toward meeting the requirements of the GDPR. However, your final compliance depends on a lot more than just your website or what any single plugin or resource can provide.

What is the GDPR Exactly?

The GDPR website itself is the best source to learn what exactly this regulation is, but let’s break it down a bit first. Generally speaking, the intent of the GDPR is to ensure that the privacy of internet users is protected by default, not as an after-thought. Three important points stand out as impacting your website the most:

  1. Consent
    Every time you collect information related to an individual, you must ask for that user’s consent to collect that information. This is the heart of the EU’s previous regulation that you might have heard of: The EU Cookie Law. When your website uses cookies to track visitor activity on your site, you must seek consent from the user. That can be done in a wide variety of ways, but the principle is that the user needs to be informed about how their behavior on your website might be tracked. The GDPR applies that same principle to all things that collect information, all intake forms, newsletter forms, logins, e-commerce, etc.
  2. Right to Access
    Because you asked for the user’s consent, the user may occasionally also want to see exactly what kind of information you have collected about them. The “Right to Access” says that the user should be empowered to request a list of all information that you have about them at any given time.
  3. Right to be Forgotten
    Combined with the “Right to Access” is the “Right to be Forgotten.” Once the visitor knows exactly what information you have related to them, they have the right to ask you to delete any information that is protected under the GDPR so that you can no longer do anything with that information. The notable piece of information that is outside the realm of this request is e-commerce and/or donation information. It is not feasible for an organization to delete financial information — it makes proper accounting basically impossible. Besides that, any personally identifiable tracking information, newsletter subscriptions, etc. all must be deleted at the user’s request.

All of these requirements have technical aspects to them that can make your compliance with GDPR very difficult to implement. Fortunately, there are tools readily and freely available that will make implementing these features into your site much more feasible. That’s what this article is all about.

My Organization is in the U.S. — does this apply to me?

The large majority of our readers are U.S.-based non-profit organizations. You may be thinking that that means you are not subject to this regulation — in some cases that is true, but not always. The scope of the GDPR is to protect the citizens of the 28 member states of the EU. According to the GDPR website:

The GDPR will also apply to the processing of personal data of data subjects in the EU by [an organization’s website] not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU.

That explanation is a bit muddy though. This article by Forbes.com boils it down much more directly for businesses in the U.S. Essentially, if you target EU citizens by mentioning them or marketing them directly in any way, you must comply with GDPR. According to the Forbes article:

“The organization would have to target a data subject in an EU country. Generic marketing doesn’t count. For example, a Dutch user who Googles and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR. However, if the marketing is in the language of that country and there are references to EU users and customers, then the webpage would be considered targeted marketing and the GDPR will apply.”

If that’s you, then now’s the time to kick your GDPR tooling into high-gear.

Tools Give Already Provides

When GDPR discusses “consent”, it means that the user must have a way to confirm affirmatively that they agree to have their data collected for the purposes you set out. It must be documented that they gave consent, not that they simply used a form on your site. This means that each and every form on your site should have an input that makes it explicit that the visitor agrees to have their information collected.

That regulation is no different for donors. In effect, you’ll need to add a checkbox to your form indicating that the donor agrees to your website’s general Privacy Policy and Terms and Conditions. Naturally, this means your nonprofit needs to have its own dedicated privacy policy. See our previous post about why that is important regardless of the GDPR.

Fortunately, if you’re using Give, that tool is already available to you today. If your website falls under the GDPR you’ll want to enable the Terms and Conditions feature in Give for all of your forms.

Give’s Terms and Conditions settings screen.

Our full docs on the Terms and Conditions are in the documentation section, found here. Below are a few things to keep in mind:

  • There is a global Terms and Conditions setting for Give. Find that in Donations > Settings > Display Options > Terms and Conditions.
  • You can customize your Terms and Conditions per form.
  • If you have existing forms and they are all set to the “Global Options” then when you enable Terms and Conditions in the Global settings, it will be enabled for all your forms.
  • The Terms and Conditions editor accepts links, so you might want to keep the text in this setting short and simply link to your full Privacy Policy and Terms of Conditions pages.

Here’s a suggested text for your Give Terms and Conditions setting if you’d like to link to your full pages:

By donating with this form, you agree to our {Privacy Policy} and {Terms of Conditions}.

The other tool Give already has that you’ll need for GDPR relates to the “Right to Access.” Your donors want to know what kind of information you have on them related to their donation activity. In that regard, Give already has a Donation History which they can access whenever they like.

The Donation History page is created automatically when you install Give the first time. But it can be customized as well. Here is the relevant documentation on the Donation History page.

Additionally, if they want all related donor meta, you can go to “Donations > Tools > Exports” and use the Donor Export report to provide them with all info you have related to their donor account.

Regarding the “Right to be Forgotten,” I mentioned earlier that financial transactions do not fall under the GDPR. GDPR makes concessions for businesses to store personally identifiable information when there is a “legitimate interest” for keeping that data. Every business has to file taxes and that is not possible without proper financial records. To that end, while the EU citizen has the right to access any financial information you have collected about them, they do not have the right to be forgotten with regard to donation activity.

Your WordPress website collects information on your visitors and users in many different ways outside the scope of what Give does. Let’s discuss next what WordPress itself will be providing you in that regard.

Tools WordPress Core will be Providing

While most development on WordPress 5.0 has been focused on Gutenberg, GDPR, with its May 25 deadline, has also stoked a fire. The Core team is working hard to provide tools for website owners.

The WordPress GDPR Roadmap:

We cannot make WordPress sites compliant, but we can provide site administrators and users with the tools they need to help them bring their sites into healthy compliance.”

Those first words are really important: “We cannot make WordPress sites compliant.” Similarly to PCI Compliance, this type of compliance is much larger and more nuanced than any cookie-cutter solution can provide you with. The goals of the WordPress Core team are to give you the basics in order to make it as easy as possible for you to be in compliance. But the actual compliance depends on you, your organization, and your legal team.

With that said, the WordPress Core team is working hard to push a release out soon that will focus on these items:

  1. Add tools to Core to facilitate compliance and privacy in general.
  2. Add tools for creating a privacy policy.
  3. Create some guidelines for plugins on compliance.
  4. Add documentation/help for site owners on how to use these tools.

Conversations and development around these new tools (items 1 and 2 above) have been generally focused on adding a Privacy Policy generator, adding explicit opt-ins to comments, and a feature to allow all personal data to be emailed to a user with one click.

These features — like all of WordPress — would have hooks available for plugins (like Give) so that we could add donor-specific information into those personal data emails.

Lastly, the documentation being written will serve as a guide for all website owners. The benefit of documentation like this is that there will be many highly-informed individuals from all over the world contributing to this documentation. There will be experience and expertise going into those docs. This is another great benefit of working with WordPress — the vast, global community of volunteers and leaders.

GDPR Plugins You Can Use Today

If you are ready to start implementing some GDPR practices on your website today, there are already several great and free plugins available that you can use.

The GDPR Framework Plugin.
  1. GDPR Framework Plugin:
    I recommend this plugin first because it really provides basically everything you need in one package. It has forms for users to request their information and an admin tool to send them that info. It has comment consent checkboxes and integrations with other popular form-related plugins like WooCommerce, Gravity Forms, Contact Form 7 and more.

    I also really like this plugin because the online documentation is very thorough. Additionally, the team behind it are experts in European law and they also provide services that might be valuable to you and your organization. I recommend checking them out.
  2. GDPR by Trew Knowledge:
    This plugin is also very good and has most of the features that you need as well. They do a great job of making the plugin very extensible for other plugins to connect to. The downside is the online documentation is far less than the one by Webdev Law above.
  3. Privacy Policy Plugin:
    This is a handy tool to generate a Privacy Policy page for you based on Automattic’s own Privacy Policy page. Naturally, whatever you generate you’ll want to have a lawyer review anyway, but this could be a good starting point.

Lastly, keep in mind that you most likely also use a lot of third-party tools that collect visitor information in many different ways. Most of the big tools have been preparing for this already for a long time, so they already have great resources available to you. Here are just a few examples.

  • Google Analytics
  • MailChimp
  • Salesforce
  • Hubspot
  • Constant Contact

GDPR Is Good Business

Most likely, if you’re reading this article, you’re a nonprofit organization with a very tight development or legal budget. Wading through all of this new legalese and technical requirements can seem very daunting and intimidating and every just plain burdensome. We sympathize with you on that.

In any case, it’s important to keep in mind how central your donors are to the success of your organization. Valuing their privacy in the ways the GDPR spells out is good business for you. When your donors see how transparent you are with their information, how you protect it and guard it against being used nefariously, they’ll reward you with loyalty and ideally with renewed and recurring donations and volunteerism.

GDPR might not be a lot of fun right now, but making it a priority now will help you and your organization succeed in the long run.

Matt Cromwell

Matt is a co-author of Give and is Head of Support and Community Outreach for WordImpress and GiveWP.com. He loves writing docs and being "Generally helpful since birth".

There are no comments

Join the Discussion

Your email address will not be published. Required fields are marked *