GDPR help for community groups

How we can help your organisation with GDPR compliance

If you already use interests.me (or even if you don’t), and if you wish to become GDPR compliant, we’ve produced a 40 minute video tutorial taking you through all the new GDPR features of our web tool, and helping you to understand how to become GDPR compliant with respect to collecting email addresses, managing mailing lists and sending email newsletters. Here it is! It’s especially for small local organisations.

GDPR stands for General Data Protection Regulation and applies to all those processing or controlling Personal Data of subjects in the EEA (European Economic Area), effective from 25th May 2018.

GDPR is relevant to you if you are already using (or wish to use) interests.me for email newsletters – i.e. if you are collecting email addresses onto a mailing list, managing your existing mailing lists using interests.me, or using interests.me to send email newsletters.

Only you are responsible for your compliance with GDPR. However, we are trying to help by providing you with features which make it easier to comply. Please note that we can only assist with your compliance as far as using our service is concerned – not with any other ways in which your organisation may use Personal Data.

As described in the video tutorial, here are the 9 Steps to GDPR Compliance (at least as far as emailing is concerned):

      1. Check whether you need to register with the ICO
        Not every non-profit organisation processing Personal Data needs to do this. You can find out whether or not you do by completing the ICO’s simple questionnaire here. Remember, if you do collect or store email addresses, you are processing Personal Information.Even if you find that you are exempt from registration with the ICO, this does not mean that you can ignore GDPR – it just means you don’t have to register, but you do still need to comply, so continue reading!
      2. Write a GDPR-compliant Privacy Policy (and comply with it!)
        The new Regulations require you to have a Privacy Policy which you should share with all new subscribers to your email lists, and all existing subscribers. It requires your Privacy Policy to contain specific information that wasn’t previously required, so you’ll most likely need to write a new Privacy Policy even if you have one already. If all you do with Personal Data is to collect email addresses in the interests.me system and send emails through the interests.me system, we can help you create a very simple Privacy Policy only in relation to these activities.However if (like many organisations) your use of Personal Data goes beyond your use of interests.me, you will need a more comprehensive Privacy Policy. In this case, we recommend Suzanne Dibble’s excellent GDPR Pack. (Please note that we will be entitled to a small commission if you purchase this Pack with our link, but this doesn’t increase the price to you. Other sources of GDPR advice and information are available!). Once you’ve written your Privacy Policy (or decided to use our template), add it into interests.me by going to Email Newsletters then Email Settings. You can paste it in, or use a link (if your Privacy Policy is already online).By adding it into interests.me, it will be automatically visible to all new subscribers who sign up to your public mailing lists, which is what the Regulation requires.
      3. Set up a Data Processing Agreement with your email newsletter provider
        The Regulation requires you to have a Data Processing Agreement with any third party you use to process your email addresses. If you are using interests.me for emailing, that’s us.As the Data Controller for your email addresses, this is your responsibility. However, we’ve made this easy for you by writing a Data Processing Agreement between us. When you log in and go to ‘Email Newsletters’ the system will prompt you to take a look and you’ll be asked if you agree to it on behalf of your organisation.If you have any issues with agreeing to it (and we don’t believe you will, as it mostly sets expectations of us in regard to keeping your data safe), please email us on support@interests.me and we will try to resolve your concerns.
      4. Allow new subscribers to sign up in a compliant way
        If your mailing list is available for members of the public to sign up to, you need to do a few things:

        Make sure your Privacy Policy is shown when they opt in, so they know what you will do with their email address. This has already been covered. If you’ve added your Privacy Policy into interests.me, it will automatically show up whenever subscribers opt in.

        Be very clear and transparent on what they are opting into. This means having a very clear consent statement – eg “I consent to receive email newsletters from Organisation X about topic Y”. If you send different emails about different topics (eg a Fundraising email and a Volunteering Opportunities email), you should allow your subscribers “granular consent” so that they can sign up to one mailing list but not the other.We help you create your consent text for every public mailing list, by giving you some default text. You can change this to make it right for your organisation. Change this for your public mailing lists by going into the list, then clicking on ‘List Settings’ and ‘Change list settings’. The new consent text will appear in the signup form for that mailing list.

        Record the consent wording. We ensure that whatever consent a subscriber has given when they opt in, this is recorded in our system against that subscriber, together with the date they subscribed and the list title. This ‘justification’ will follow the subscriber if you move them or copy them to another list in our system using the ‘Move’ or ‘Copy’ functions, so you never lose the audit trail for how they opted in to your list.

        By the way, if you add subscribers yourself (by uploading them or copying and pasting their email addresses from some other place), you’ll now be asked to record your lawful basis (justification) for processing their Personal Data. We give you help to do this at the time, in our system. This helps make sure you are complying by keeping the required records about all new subscribers you’re adding.

        Ask for a double opt-in. We also ensure that new subscribers who opt in, receive a confirmation email which they need to click on in order to add themselves to the mailing list. This is known as a “double opt-in” and is not strictly necessary for GDPR compliance, but is best practice, and helps you to prove that they have indeed given their consent.

        Give them an easy way to unsubscribe. For all your subscribers, we give them an easy way to unsubscribe from your emails, in an ‘unsubscribe’ link at the bottom of every email you send. This automatically removes them from the list they were in.

      5. Record where you have a legitimate interest to continue emailing
        If you have existing email subscribers, you need to be sure whether you can continue to email them (and process their Personal Data) or not, and you need to record your justification for continuing to email them.If they are members of your organisation, volunteers, service users or customers, or trustees (or similar), you may not need their consent to email them. However you will need to record the lawful basis upon which you are continuing to process their personal data. “Legitimate interests” may be the most appropriate lawful basis for continuing to email these subscribers. See the ICO guidance for assessing whether you have a legitimate interest..Here’s a slide from our video to help prompt your thinking:When you’ve established which of your subscribers fall into this category, we suggest you create a new mailing list called ‘Legitimate Interests’, then go back to your original mailing list and tick those subscribers who apply, and simply move them to the new list.

        Once they’re in the new list, you’re still not quite finished because you need to mark them with a justification in the system to continue emailing them. To do this, go to ‘List Settings’ within your new Legitimate Interests mailing list, and click on ‘Export CSV File’. As soon as it has downloaded, go to Add Subscribers, then Upload CSV File, and upload the file you’ve just downloaded.

        This time, you’ll need to add a justification for each of these subscribers, so this is your change to record ‘Legitimate interest’ in the justification box. If possible, add a bit more detail such as why you have a legitimate interest eg if they are members or volunteers, this is good to record here.

        Note that if you are using legitimate interests as a justification, you need to write down your logic so that, if challenged by the ICO or a subscriber, you can justify this.

      6. Record where you have valid consent to continue emailing
        If you don’t have a legitimate interest in emailing your subscribers, you may need to rely upon their consent as your lawful basis for processing.If the way you got their consent in the first place was not fully GDPR-compliant, you may need to ask these subscribers again for their consent, or delete their contact details. See the ICO guidance for ensuring your consent is to the high standards required.Here’s our summary of the things you need to consider:If you believe you have valid consent under GDPR for some or all of your subscribers, create a new mailing list called ‘Valid Consents’, and move those subscribers across to this list. Then (just as you did with Legitimate Interests), you can download a CSV file of these subscribers and upload it again, but this time add your ‘Justification’. It might be something like ‘Consent given on paper form at Village Show 2018’.
      7. Tell these subscribers about your new Privacy Policy
        You should now have 2 lists (Legitimate Interests and Valid Consents) where all the subscribers have a justification against them.All you need to do with these subscribers is email them to let them know about your Privacy Policy, tell them you will continue emailing them, and make it clear how they can opt out if they wish to.Before you move these subscribers back to your main Mailing List, send them an email.Here’s our suggested text for that email (which you could title “Our New Privacy Policy”):Dear subscribers,

        You’re receiving this email because we need to tell you about our new Privacy Policy.

        You can find our new Privacy Policy by clicking on https://yourorganisationname.interests.me, and then clicking ‘Join’ on our mailing list signup box.

        (Please note you do not need to re-join our mailing list, but if you would like to make your consent known to us, you are welcome to do so).

        For the purposes of the new GDPR (General Data Protection Regulation), effective from 25th May 2018, we have assessed that we can continue emailing you without asking for your further consent, either because the consent you originally gave us was sufficient, or because our relationship with you justifies our continued emailing on the basis of legitimate interests.

        If you’d like further information about this, or to ask us about your specific case, reply to this email with your question.

        As always, you can unsubscribe or opt out of receiving emails from us by clicking the ‘unsubscribe’ link below.

        Best wishes,

        Organisation name

      8. Ask other subscribers to re-consent
        For your other subscribers (for whom you do not consider that you have legitimate interests or valid consent to email them), you’ll need to ask them to re-consent.In interests.me, this is just the same as re-subscribing.The best thing to do is send them an email. Here’s our suggested text for this email, which you could title “Sign Up To Hear About Our Events and Activities”:

        Hi, you’ve previously subscribed to hear about our events and activities.However, because of new Data Protection Laws (GDPR), we need you to confirm that you still want to continue hearing from us.

        To do so, please go to https://yourorganisationname.interests.me and click ‘Join’ to re-join our Mailing List.

        When you do so, you’ll see a link to our new Privacy Policy. This tells you what we’ll do with your name and email address.

        Alternatively, to unsubscribe, please click on the unsubscribe link at the bottom of this email. We’ll be sorry to see you go.

        Many thanks,

        The Committee

        How often can you email these subscribers to ask them to re-subscribe? There’s no limit, but make sure before you do it, that you move those who have already re-subscribed into the ‘Valid Consents’ mailing list. Then the people you’re emailing are those who have not taken any action.

      9. Delete subscribers with no justification to continue emailing
        When you’ve emailed a few times, it’s time to say goodbye to any subscribers who have not re-subscribed, if you don’t have a valid consent or legitimate interests reason to continue emailing them. Don’t feel bad about this: these subscribers either weren’t receiving your emails or weren’t interested in what you were saying anyway, so it’s just as well that they’re no longer on your list. To delete them, go into your original mailing list and click the box to the left of the subscribers who are still there, if they have no justification against them. Then hit ‘Delete’.You can now merge your mailing lists together, since all your remaining subscribers have a justification against them. You can move them all back to your original mailing list. Congratulations – that’s it!

    WHAT ELSE?

    This is where the video tutorial ends. But you might still be wondering how you know that interests.me is GDPR compliant, and what else you need to know about being compliant yourself?

    How do you know that interests.me is GDPR compliant?

    We’ve already mentioned that you are responsible (as a Data Controller) to ensure that any third party you use to process your email addresses (that includes us!) meets the high standards set out by GDPR.

    So how do you know we are GDPR compliant?

    To reassure yourself, start by reading our Data Protection & Privacy Policy. We also have a Data Security Statement, and of course there’s the Data Processing Agreement that we’ve already talked about.

    Any questions? Email us at dataprotection@interests.me and we’ll be happy to help.

    What else do you need to know about GDPR?

    You need to be able to respond to data subject access requests. We help you to do this by giving you all the information about a data subject that’s held in our system, when you click on the ‘Justification’ column in your Mailing Lists.

    You’ll also need to respond to requests to delete or update personal data. That’s easy in interests.me – you can delete (or unsubscribe) a subscriber from any list from inside our system, or change their details.

    You’ll need to comply with your own Privacy Policy, so read it carefully. In particular, only email your subscribers about subjects they have agreed to hear about, or for which purpose you have a legitimate interest to email them. Don’t email them about something totally different that they don’t expect to hear about!