What is GDPR?
The General Data Protection Regulations (GDPR) are a set of new European privacy laws. It strengthens the individual’s right to control their own personal data. Organizations that obtain, use, store, and process data must receive explicit permission from the individual and be transparent about how they use the data.
The Data Protection Principles of the GDPR include requirements such as:
- An individual’s personal data must be processed in a transparent way and can only be used with reasonable expectation.
- Personal data should only be collected to meet its purpose and it should only be used for that purpose. Organizations must specify why they need the personal data when it is being collected.
- Personal data should be held no longer than necessary to fulfill its purpose.
What is personal data?
For our users, common personal data that is collected from donors and fundraisers are:
- Email address
- Postal address
Other personal data that you may collect inside and outside of CauseVox could include an individual’s occupation, donation history, and demographic information.
Will it affect me?
GDPR will affect any organization that collects personal data from a citizen of the European Union (EU) for any purpose.
This means that if you have an overt focus on the EU, such as if you target EU donors/fundraisers, take EU donations, or operate in the EU, then you are most likely subject to GDPR. Specifically, on CauseVox, your EU donor data and fundraiser data will need to adhere to the rules of GDPR.
What we’re doing with GDPR
We’re committed to data privacy and GDPR compliance. Here’s what we’re doing:
Data audit and inventory
We’ve taken inventory of how we collect data on our users at CauseVox as well as how we collect data on behalf of our users from their donors and fundraisers. From this inventory, we validated our legal basis for collecting, organizing, processing, and storing personal data.
An audit of the security and privacy safeguards has been conducted across our product infrastructure and our business processes.
For all of our users, the data that we collect on your behalf has always been fully portable. Anything that we collect on your donors and fundraisers is available for self-service export from CauseVox. Similar to existing business process, if any data needs to be deleted or fixed, you can contact firstname.lastname@example.org to initiate a data request.
As a user, you are also able to review and modify your personal data from within your Profile section of your account. Similar to our account deletion process, you can delete your account by cancelling CauseVox from within your account, or requesting a deletion by contacting email@example.com.
Data Processing Addendum
EU-US Privacy Shield
We’re applied for certification under the formal EU-US Privacy Shield. This showcases our commitment to data privacy across borders. Due to an increased volume of applications, we are in queue for approval.
Review of 3rd party vendor contracts
As applicable, we are reviewing our own vendors and their compliance with GDPR.
Data Protection Officer Appointment
We’re appointed a Data Protection Officer that works across teams to ensure data privacy, security, and GDPR compliance.
Data Breach and Incident Response
We conduct security penetration testing on a regular basis and worked to enhance the security and performance of our infrastructure. We’ve reviewed our business process and operating procedures for data breaches and incident response communications process.