Monday to Wednesday, 10am - 4pm, ET
1.855.281.5499 (toll free)

6 Recommendations to Ensure Your Nonprofit is CASL and GDPR Compliant


By: Antoine Bonicalzi, Marketing Director at Cyberimpact

Many articles have been written about the impact of the GDPR (General Data Protection Regulation - the new European privacy law) and CASL (Canada’s Anti-Spam Legislation) on nonprofit organizations and how they operate.

But most of those articles are pretty technical and you need to be an expert on legal matters to truly understand all the subtleties. Not to mention that many articles contradict each other! Going down the GDPR/CASL rabbit hole requires a lot of coffee, and even aspirin for the headaches! Luckily, I’ve done it for you.

So here are 6 recommendations that will help you be in compliance with the GDPR and CASL, all in simple English with none of the legal jargon.

1. Always tell people why you are asking for personal data and what you are going to do with it

Personal data is any information that can help identify an individual; from a job title to a postal address or an email address.

You're obviously asking for contact information on a bunch of different forms, like donation forms, event registrations and newsletter subscriptions. Whether it is online or on paper, state precisely what your organization is going to use the information for.

For example, on a donation form, you would add a mention such as “Your postal address will be used to send you a donation receipt.”

2. Only ask for the personal data that you really need

The GDPR advocates a concept called “Privacy by Design.” Basically, it means that your organization has to always think about what’s the safest thing to do in order to protect personal privacy. The simplest way to be safe with personal data is to handle as little of it as possible.

So make your forms are short as they can be while still being effective.

3. Always get consent before sending out mass email

Both CASL and GDPR talk about consent, but in a different way. With CASL, you have to have prior consent before you send a commercial electronic message to someone. With GDPR, you have to have clear consent before you collect personal data.

In either case, you should have consent before you add someone to an email list and send them newsletters or other promotional emails. So make sure that subscription forms explicitly ask people if they want to receive emails from you and that people have to perform an action to give consent. For example, ticking a checkbox next to a mention such as “I want to receive news and invitations from organization X.”

Yes, there is an exception in CASL that states that electronic messages that ask for donations to a charity are exempt from the law. But as soon as the message (or a part of the message) can be considered of commercial nature, CASL applies. What’s commercial and what’s not? It’s a grey area. What’s certain is that if an email promotes the sale of tickets to an event, or contains ads from sponsors, it is a commercial email. I believe it’s hard for organizations to have different processes for different types of emails. Mistakes can be made. So, for simplicity’s sake, only send mass emails to people who have given you consent.

4. Use a CASL and GDPR compliant email marketing platform

A professional email marketing solution will take care of a lot of things for you; subscription forms, unsubscribe links, list management, etc. But make sure that the solution you use allows you to be both CASL and GDPR compliant. Ask them about it!

If most of your contacts are in Canada and some of them are in Europe, then consider a solution that has its servers in Canada. This is ideal for your deliverability within Canada and, good news for us all, Canada is among the countries allowed by the GDPR for personal data storage.

5. Use a centralized CRM

The GDPR requires organizations to have a much better handle on the personal data they collect and how they use it. That’s why I recommend that you use one central CRM system (customer relationship management) and that individual emails be sent through the CRM.

If someone asks not to be contacted anymore by your organization and then an employee unwittingly sends that person a 1-to-1 email, this is obviously not good. This situation will not happen if everyone in the organization uses the same centralized system.

6. Tell people how they can see, modify or ask for deletion of their personal data

The GDPR states that people should be able to:

  • review the personal information you have on them;
  • modify this information or ask for its modification;
  • request deletion of their personal information.

Again, if you use a professional email marketing platform as well as a centralized CRM, these things will be a lot easier.

In all of your communications, tell people how they can review their personal data. It can be as simple as adding a line like this at the bottom of an email: “To review your personal information at organization x, you can request a copy by replying to this email.”

Hopefully these 6 recommendations help you on your journey to become GDPR and CASL compliant and also help you have some clarity about topics that can get complicated.

Good luck!

About the author

Antoine Bonicalzi has been involved in digital marketing since 2009. Occupying key roles in several agencies, he has helped hundreds of small businesses succeed with digital marketing. Today, as the Marketing Director for Cyberimpact, a Canadian email marketing platform, Antoine has the responsibility of growing its user base across the country. His role involves communicating the secrets of email marketing to Canadian businesses and organizations through articles, training workshops and seminars.