List all the information you collect from your users
Be explicit, not general. List the specific places on your website, and elsewhere in your organization, where you collect personal information. A good practice is to describe where data is collected, followed by the information you collect. For example, “when you make a donation on our website, we collect your name and credit card information for this purpose.”
Share how you use your users’ information
“GlobalGiving uses the personal data that you provide or we obtain to process your donations, contact you regarding any questions related to your donation, mail gift cards related to your donation (if applicable), and ensure that Gift Aid can be claimed (if you are eligible). Use of this data is necessary for the performance of the contract between you and us in connection with your donation. If you do not provide the necessary data to us or our payment service provider, we will not be able to process your donation.”
Disclose with whom you share your users’ data
GDPR requires that you disclose to EU citizens to whom you are disclosing their information. This could be to technical partners (like an email list management company), governments (for some legal reporting purposes), or any third party that may have access to the data your organization has collected.
Explain how your users can exercise their data rights
- Right to access
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Right to withdraw consent
- Right to lodge a complaint with the data protection authority
Be sure to say, in plain language, what users can do in order to exercise their rights. Best practices are to include links to forms, email addresses, or functions within your website.
Assure your users that you are protecting their data
Let’s talk. Forum One data privacy experts (like Kurt!) can talk through what makes the most sense for your organization’s needs.