GDPR help for community groups
How we can help your organisation with GDPR compliance
If you already use interests.me (or even if you don’t), and if you wish to become GDPR compliant, we’ve produced a 40 minute video tutorial taking you through all the new GDPR features of our web tool, and helping you to understand how to become GDPR compliant with respect to collecting email addresses, managing mailing lists and sending email newsletters. Here it is! It’s especially for small local organisations.
GDPR stands for General Data Protection Regulation and applies to all those processing or controlling Personal Data of subjects in the EEA (European Economic Area), effective from 25th May 2018.
GDPR is relevant to you if you are already using (or wish to use) interests.me for email newsletters – i.e. if you are collecting email addresses onto a mailing list, managing your existing mailing lists using interests.me, or using interests.me to send email newsletters.
Only you are responsible for your compliance with GDPR. However, we are trying to help by providing you with features which make it easier to comply. Please note that we can only assist with your compliance as far as using our service is concerned – not with any other ways in which your organisation may use Personal Data.
As described in the video tutorial, here are the 9 Steps to GDPR Compliance (at least as far as emailing is concerned):
- Check whether you need to register with the ICO
Not every non-profit organisation processing Personal Data needs to do this. You can find out whether or not you do by completing the ICO’s simple questionnaire here. Remember, if you do collect or store email addresses, you are processing Personal Information.Even if you find that you are exempt from registration with the ICO, this does not mean that you can ignore GDPR – it just means you don’t have to register, but you do still need to comply, so continue reading!
- Set up a Data Processing Agreement with your email newsletter provider
The Regulation requires you to have a Data Processing Agreement with any third party you use to process your email addresses. If you are using interests.me for emailing, that’s us.As the Data Controller for your email addresses, this is your responsibility. However, we’ve made this easy for you by writing a Data Processing Agreement between us. When you log in and go to ‘Email Newsletters’ the system will prompt you to take a look and you’ll be asked if you agree to it on behalf of your organisation.If you have any issues with agreeing to it (and we don’t believe you will, as it mostly sets expectations of us in regard to keeping your data safe), please email us on email@example.com and we will try to resolve your concerns.
- Allow new subscribers to sign up in a compliant way
If your mailing list is available for members of the public to sign up to, you need to do a few things:
Be very clear and transparent on what they are opting into. This means having a very clear consent statement – eg “I consent to receive email newsletters from Organisation X about topic Y”. If you send different emails about different topics (eg a Fundraising email and a Volunteering Opportunities email), you should allow your subscribers “granular consent” so that they can sign up to one mailing list but not the other.We help you create your consent text for every public mailing list, by giving you some default text. You can change this to make it right for your organisation. Change this for your public mailing lists by going into the list, then clicking on ‘List Settings’ and ‘Change list settings’. The new consent text will appear in the signup form for that mailing list.
Record the consent wording. We ensure that whatever consent a subscriber has given when they opt in, this is recorded in our system against that subscriber, together with the date they subscribed and the list title. This ‘justification’ will follow the subscriber if you move them or copy them to another list in our system using the ‘Move’ or ‘Copy’ functions, so you never lose the audit trail for how they opted in to your list.
By the way, if you add subscribers yourself (by uploading them or copying and pasting their email addresses from some other place), you’ll now be asked to record your lawful basis (justification) for processing their Personal Data. We give you help to do this at the time, in our system. This helps make sure you are complying by keeping the required records about all new subscribers you’re adding.
Ask for a double opt-in. We also ensure that new subscribers who opt in, receive a confirmation email which they need to click on in order to add themselves to the mailing list. This is known as a “double opt-in” and is not strictly necessary for GDPR compliance, but is best practice, and helps you to prove that they have indeed given their consent.
Give them an easy way to unsubscribe. For all your subscribers, we give them an easy way to unsubscribe from your emails, in an ‘unsubscribe’ link at the bottom of every email you send. This automatically removes them from the list they were in.
- Record where you have a legitimate interest to continue emailing
If you have existing email subscribers, you need to be sure whether you can continue to email them (and process their Personal Data) or not, and you need to record your justification for continuing to email them.If they are members of your organisation, volunteers, service users or customers, or trustees (or similar), you may not need their consent to email them. However you will need to record the lawful basis upon which you are continuing to process their personal data. “Legitimate interests” may be the most appropriate lawful basis for continuing to email these subscribers. See the ICO guidance for assessing whether you have a legitimate interest..Here’s a slide from our video to help prompt your thinking:When you’ve established which of your subscribers fall into this category, we suggest you create a new mailing list called ‘Legitimate Interests’, then go back to your original mailing list and tick those subscribers who apply, and simply move them to the new list.
Once they’re in the new list, you’re still not quite finished because you need to mark them with a justification in the system to continue emailing them. To do this, go to ‘List Settings’ within your new Legitimate Interests mailing list, and click on ‘Export CSV File’. As soon as it has downloaded, go to Add Subscribers, then Upload CSV File, and upload the file you’ve just downloaded.
This time, you’ll need to add a justification for each of these subscribers, so this is your change to record ‘Legitimate interest’ in the justification box. If possible, add a bit more detail such as why you have a legitimate interest eg if they are members or volunteers, this is good to record here.
Note that if you are using legitimate interests as a justification, you need to write down your logic so that, if challenged by the ICO or a subscriber, you can justify this.
- Record where you have valid consent to continue emailing
If you don’t have a legitimate interest in emailing your subscribers, you may need to rely upon their consent as your lawful basis for processing.If the way you got their consent in the first place was not fully GDPR-compliant, you may need to ask these subscribers again for their consent, or delete their contact details. See the ICO guidance for ensuring your consent is to the high standards required.Here’s our summary of the things you need to consider:If you believe you have valid consent under GDPR for some or all of your subscribers, create a new mailing list called ‘Valid Consents’, and move those subscribers across to this list. Then (just as you did with Legitimate Interests), you can download a CSV file of these subscribers and upload it again, but this time add your ‘Justification’. It might be something like ‘Consent given on paper form at Village Show 2018’.
(Please note you do not need to re-join our mailing list, but if you would like to make your consent known to us, you are welcome to do so).
For the purposes of the new GDPR (General Data Protection Regulation), effective from 25th May 2018, we have assessed that we can continue emailing you without asking for your further consent, either because the consent you originally gave us was sufficient, or because our relationship with you justifies our continued emailing on the basis of legitimate interests.
If you’d like further information about this, or to ask us about your specific case, reply to this email with your question.
As always, you can unsubscribe or opt out of receiving emails from us by clicking the ‘unsubscribe’ link below.
- Ask other subscribers to re-consent
For your other subscribers (for whom you do not consider that you have legitimate interests or valid consent to email them), you’ll need to ask them to re-consent.In interests.me, this is just the same as re-subscribing.The best thing to do is send them an email. Here’s our suggested text for this email, which you could title “Sign Up To Hear About Our Events and Activities”:
Hi, you’ve previously subscribed to hear about our events and activities.However, because of new Data Protection Laws (GDPR), we need you to confirm that you still want to continue hearing from us.
To do so, please go to https://yourorganisationname.interests.me and click ‘Join’ to re-join our Mailing List.
Alternatively, to unsubscribe, please click on the unsubscribe link at the bottom of this email. We’ll be sorry to see you go.
How often can you email these subscribers to ask them to re-subscribe? There’s no limit, but make sure before you do it, that you move those who have already re-subscribed into the ‘Valid Consents’ mailing list. Then the people you’re emailing are those who have not taken any action.
- Delete subscribers with no justification to continue emailing
When you’ve emailed a few times, it’s time to say goodbye to any subscribers who have not re-subscribed, if you don’t have a valid consent or legitimate interests reason to continue emailing them. Don’t feel bad about this: these subscribers either weren’t receiving your emails or weren’t interested in what you were saying anyway, so it’s just as well that they’re no longer on your list. To delete them, go into your original mailing list and click the box to the left of the subscribers who are still there, if they have no justification against them. Then hit ‘Delete’.You can now merge your mailing lists together, since all your remaining subscribers have a justification against them. You can move them all back to your original mailing list. Congratulations – that’s it!
- Check whether you need to register with the ICO
This is where the video tutorial ends. But you might still be wondering how you know that interests.me is GDPR compliant, and what else you need to know about being compliant yourself?
How do you know that interests.me is GDPR compliant?
We’ve already mentioned that you are responsible (as a Data Controller) to ensure that any third party you use to process your email addresses (that includes us!) meets the high standards set out by GDPR.
So how do you know we are GDPR compliant?
Any questions? Email us at firstname.lastname@example.org and we’ll be happy to help.
What else do you need to know about GDPR?
You need to be able to respond to data subject access requests. We help you to do this by giving you all the information about a data subject that’s held in our system, when you click on the ‘Justification’ column in your Mailing Lists.
You’ll also need to respond to requests to delete or update personal data. That’s easy in interests.me – you can delete (or unsubscribe) a subscriber from any list from inside our system, or change their details.