In compliance with the GDPR, a non-profit like us has two responsibilities – to protect the personal data we collect from our supporters upon sign up (name, email, address, password, billing data if they purchase something). We have to guarantee that we collect, store and work with our supporters’ data in a legitimate way and that our supporters are informed how exactly we do that.
Even though we have always been acting in accordance with the principles of the GDPR, there is still work to tidy up the processes we follow and comply with the letter and spirit of the law. So here is a list of the major things we are going through and why they matter.
Some of the services we sell are provided by external partners – MailChimp for email marketing, Google for Analytics, Adwords, QuickBooks and others. They need the client’s data so they can deliver services. You can click on the links above to review their privacy policies.
Internal procedures and enhancements
Our operations are designed following the “security and privacy by default” and least privilege principles. What we are doing in line with the GDPR is auditing and enhancing the security levels and adding new procedures where it is required by the new regulation. Another new procedure we introduced is working only with partners that are GDPR-compliant.
2. Right to be forgotten
Under the GDPR every client could request “to be forgotten”, meaning all their data has to be deleted and never used again, except in certain circumstances, which may include having to keep processing your personal information to comply with a legal obligation. An example of such obligation is the requirement to keep a copy of all invoices to comply with financial and tax legislation.
3. Right of access, update, portability and withdraw of consent
As a client you can ask what data we store about you, update it and, where we rely on your consent for processing the data, you can withdraw your consent to that use.