You’ve probably already heard some news (or gotten dozens of emails from companies “Updating their Terms of Service”) about the new General Data Protection Regulation (GDPR) coming out of the European Union.

If you work for a school or school district you might be asking yourself what does all the hullabaloo mean for you and your organization.  I mean, you’re just talking to parents, staff and the community…right??

Below, we’ve broke the main points down for you to review.  Please know that we are not providing legal advice. We’re simply providing information for you to consider.

What is GDPR?

The regulation states that any organization who handles the personal information of a European Union citizen must ask for explicit consent to send them information.  For email (and other forms of direct communication), this means that implied consent no longer applies to EU citizens, even when they provide information to non-EU organizations.

Is GDPR retroactive?

Yes. GDPR does affect how you can handle information of the EU residents already part of your contact list.  Some organizations have sent opt-in emails to their entire list asking for explicit content to continue sending information to their recipients. Others are choosing to do nothing.

What do you need to do?

The first thing we recommend is updating your privacy policy to reflect compliance with GDPR. We also recommend you update any signup forms or data collection forms, both physical and online, to ask for explicit consent to send a recipient information.  Ask them directly if you can send them information, state the kinds of information they can expect to receive and how frequently they can expect to receive it.  This piece might be the most relevant of any steps that you should consider taking.

What should you do about EU citizens already on your list?

This is trickier to answer. First off, it can be difficult to identity EU citizens if you don’t already have that information. You might consider sending an opt-in email to all your recipients. If you do choose to do that, know this: a large percentage of your recipients will either ignore or miss that email, and you’ll be forced to remove them from your list. Whether or not you want to do that is up to you. Again, we are not offering legal advice.

However, we believe that it’s unlikely most school districts in the US have an abundance of (if any) EU contacts. We also believe that if you’ve been following proper anti-spam best practices, it’s unlikely that the few EU contacts who may be on your list, who have been receiving information from you, will file a formal complaint against your organization. If you are concerned about the legal consequences of GDPR, we still strongly recommend consulting with your own legal counsel.

Leave a Comment