Getting Ready for the GDPR
In compliance with the GDPR, a non-profit like us has two responsibilities – to protect the personal data we collect from our supporters upon sign up (name, email, address, password, billing data if they purchase something). We have to guarantee that we collect, store and work with our supporters’ data in a legitimate way and that our supporters are informed how exactly we do that.
Even though we have always been acting in accordance with the principles of the GDPR, there is still work to tidy up the processes we follow and comply with the letter and spirit of the law. So here is a list of the major things we are going through and why they matter.
- Terms of Service and Privacy policy updates
The GDPR says we have to inform clients what data we collect about them and legitimize how we use it afterwards. The good news is that we collect only the minimal set of personal data that is required to deliver our creative services. For example, we collect your physical address for invoicing and tax purposes. We may collect your credit card data because we need to bill you upon purchase. We collect your email because we need to contact you regarding your orders, the status of the services, important functionality updates and, where you have consented to receive such communications, contact you with newsletters and promotions. We use cookies because they help us show relevant content to our website visitors and advertise based on these interactions. We don’t use any of the data collected for profiling or other secondary purposes and we do not sell it to anyone.
As per the GDPR requirements, our new Privacy Policy describes why and how we collect and process personal information and any client, existing or new, would be able to validate that we handle this information carefully and sensibly.
Some of the services we sell are provided by external partners – ConvertKit for email marketing, Google for Analytics, QuickBooks and others. They need the client’s data so they can deliver services. You can click on the links above to review their privacy policies.
Internal procedures and enhancements
Our operations are designed following the “security and privacy by default” and least privilege principles. What we are doing in line with the GDPR is auditing and enhancing the security levels and adding new procedures where it is required by the new regulation. Another new procedure we introduced is working only with partners that are GDPR-compliant.
- Right to be forgotten
Under the GDPR every client could request “to be forgotten”, meaning all their data has to be deleted and never used again, except in certain circumstances, which may include having to keep processing your personal information to comply with a legal obligation. An example of such obligation is the requirement to keep a copy of all invoices to comply with financial and tax legislation.
- Right of access, update, portability and withdraw of consent
As a client you can ask what data we store about you, update it and, where we rely on your consent for processing the data, you can withdraw your consent to that use.