John:
Thanks for the kind words--i can't claim to have a "gooder" understanding of the law than anyone else but I try my best.
A couple points I would make:
1. I wouldn't go so far to say as opt-in from your alumni/donors is the only exemption--the Legitimate Interest rule is extremely important, seeing as it allows an institution which has been sent a gift to be able to send a thank-you letter and where appropriate a gift receipt in return regardless of whether the donor has opted in--but for most purposes you're safest with getting opt-in. For a lot of purposes, it's the only way to be safe.
2. If anyone knows how Brexit is going to end, buy a lottery ticket now! But we do have an idea about what will happen to GDPR when (if???) the UK leaves the EU. The UK Information Commissioner's Office has said that they're going to operate under the impression that the UK is going to adopt data protection laws that are substantially the same as the current GDPR. It remains to be seen whether a future UK government will pass a similar law or tinker with it. Here I have to put in a shameless plug for my blog posts on GDPR at
www.staupell.com/blog, where I discuss the UK situation and other GDPR issues further.
In short I'd say the best thing to do is get as many opt-ins from your alumni as possible (as I mentioned, asking for opt-in is not itself a violation as far as I know...check with your attorney). And as Issac rightly said in this thread I would hesitate to let a third party handle the addresses and mailing as that can lead to all kinds of GDPR and non-GDPR issues. I would send the letters from your institution on behalf of your alumnus rather than the other way around.
Thanks,
Greg
Get Outlook for Android<https://aka.ms/ghei36>
________________________________
From: Advancement Services Discussion List <
FUNDSVCS@LISTSERV.FUNDSVCS.ORG> on behalf of John Taylor <
johntaylorconsulting@GMAIL.COM>
Sent: Tuesday, August 20, 2019 1:13:47 PM
To:
FUNDSVCS@LISTSERV.FUNDSVCS.ORG <
FUNDSVCS@LISTSERV.FUNDSVCS.ORG>
Subject: Re: [FUNDSVCS] [External] [FUNDSVCS] GDPR experience
Greg took the words out of my mouth - and very much more gooder :-).
I also am not a lawyer.
This topic will be discussed extensively during the Ethics Panel I am leading at aasp Summit. But Greg hit the nail on the head. The only real exemption is when the alumni tell you it is okay.
Two other little sidebars - one you have already figured out. Many think GDPR applies only to the UK - it does, in fact, cover the entire EU. I do wonder (and have not researched) what happens if Brexit happens.
The other thing worth mentioning is that GDPR applies to all EU citizens. There is some debate regarding EU citizens who reside outside the EU. And the EU GDPR.org website also uses the term "subjects." One item we will discuss at Summit is what happens to a citizen of the EU who moves to the US - but retains their citizenship back in the EU.
John
John H. Taylor
Principal
John H. Taylor Consulting, LLC
2604 Sevier St.
Durham, NC 27705
johntaylorconsulting@gmail.com<mailto:
johntaylorconsulting@gmail.com>
919.816.5903 (cell/text)
Serving the Advancement Community Since 1987
On Tue, Aug 20, 2019 at 3:59 PM Gregory Duke <
greg@staupell.com<mailto:
greg@staupell.com>> wrote:
Josh,
I must state up front that I am not an attorney, but I'm hesitant to say that a person which sends out invitations on behalf of an educational institution is exempt from GDPR legislation. Article 4(18) of the Regulation states that individuals are exempt from GDPR rules only if they are conducting exclusively personal or household activity. In other words, individuals are exempt if they're sending out invitations to a personal party or wedding, but not if they're sending invitations on behalf of a company or non-profit organization.
I think there might have a better case with the "Legitimate Interest" exemption to contacting your alumni. Recital 47 of the GDPR commission allows for such contact presuming that a person holds a "relevant and appropriate relationship" with an organization. I would stress here that this exemption specifically does not apply to "direct marketing" or presumably fundraising (this is clarified in Recital 70). It also allows for organizations to allow contact with individuals holding a "relevant and appropriate relationship" for the purposes of asking them to opt-in to receive further communications from the organization--I know that has been a point of concern for a number of US and Canadian organizations post-GDPR.
Again, I'm not an attorney, but I've been following and working with EU data protection laws for the past 20 years. If anything I've gotten to know how complex the legislation really is (the fact that the EU has had to issue over 70 official clarifications of the law is testament to that complexity!) And I agree with Josh that before you send anything to the EU or to EU citizens that you work with an attorney first.
Thanks,
Greg
Gregory Duke, D.Phil, bCRE-PRO
Staupell Analytics
greg@staupell.com<mailto:
greg@staupell.com>
http://www.staupell.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.staupell.com&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=984RMR36hPmikF7s6oK6Uepf5oMP3Utjjovi7kvUZbE&m=4iYD7kVqeqc6GlBAa9j-BU6Y3g7pIwQy40tAoBMxxQE&s=_FqeGEXRiIRl29EILrM0DsNUEFGM1ClIJl3-MpRPEVA&e=>
Ph. (716) 946-1870
Twitter: GregoryEDuke
[cid:16cb0a1b728bfc19a7d1]
________________________________
From: Advancement Services Discussion List <
FUNDSVCS@LISTSERV.FUNDSVCS.ORG<mailto:
FUNDSVCS@LISTSERV.FUNDSVCS.ORG>> on behalf of Greenbaum, Josh S <
JGREE2@EMORY.EDU<mailto:
JGREE2@EMORY.EDU>>
Sent: Tuesday, August 20, 2019 3:38 PM
To:
FUNDSVCS@LISTSERV.FUNDSVCS.ORG<mailto:
FUNDSVCS@LISTSERV.FUNDSVCS.ORG> <
FUNDSVCS@LISTSERV.FUNDSVCS.ORG<mailto:
FUNDSVCS@LISTSERV.FUNDSVCS.ORG>>
Subject: Re: [FUNDSVCS] [External] [FUNDSVCS] GDPR experience
Hey Amy,
I posed this very question to our counsel when GDPR went into effect. Essentially the answer was if it is done under the official auspices of the institution, you’re not supposed to do it. However if the alum wants to do it more independently, they an do so. As always, check with your counsel.
-jsg
_____________________
Joshua S. Greenbaum 09B, Executive Director
Advancement Information Services
Emory University, Advancement & Alumni Engagement
1762 Clifton Road, Office 1456, Atlanta, GA 30322
Office: (404) 712-2020, Fax: (404) 727-4876
josh.greenbaum@emory.edu<mailto:
josh.greenbaum@emory.edu>
This email (including any attachments) and/or report is proprietary and confidential information belonging to Emory University and should be shared or discussed with, or disseminated to, only those Emory University personnel, contractors, consultants, or volunteers who are authorized to have access to the information for Emory University business. Any data in this email (including any attachments) and/or report should be handled in accordance with Advancement & Alumni Engagement’s Policy on Reporting.
From: Advancement Services Discussion List <
FUNDSVCS@LISTSERV.FUNDSVCS.ORG<mailto:
FUNDSVCS@LISTSERV.FUNDSVCS.ORG>> On Behalf Of Amy Heller
Sent: Tuesday, August 20, 2019 3:25 PM
To:
FUNDSVCS@LISTSERV.FUNDSVCS.ORG<mailto:
FUNDSVCS@LISTSERV.FUNDSVCS.ORG>
Subject: [External] [FUNDSVCS] GDPR experience
Hello,
We have a GDPR-related issue and would like to see if any other schools have experienced something similar. The University of Montana has 76 alumni whose last known address is in France. One of those alums would like to organize an alumni gathering in France and would like to communicate with the other 75. Given the GDPR regulations, the Alumni Association isn’t sure how to respond to the request. Has anyone else had a similar situation and if so how did you handle it?
Thank you for your help!
Amy
Amy Heller
Director of CRM Data Management and Training
University of Montana Foundation
Office: 406.243.2593 | Direct: 406.243.4464
CampaignMontana.org<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.campaignmontana.org_&d=DwMFAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=984RMR36hPmikF7s6oK6Uepf5oMP3Utjjovi7kvUZbE&m=BLnFDg88LpFnbPWcGFitghLpLF9EF1oqkMwwZMCdkGE&s=UDQ0W1Gg5i0MYI2L0EU9UUvIn_AlnX4QC9YaZUueI5o&e=> | Think Big. Be Bold.
The UM Foundation inspires philanthropic support to enhance excellence and opportunity at the University of Montana.
CONFIDENTIALITY: This e-mail (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you received this e-mail in error, please notify the sender and delete this e-mail from your system. Thank you.
________________________________
This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.
If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).