The new EU data protection law, the General Data Protection Regulation (GDPR) comes into force on May 25th and it brings with it an entirely new set of rules that nonprofits world-wide – not just in the European Union – will have to abide by. I’m not seeing a lot of discussion about it here in the US fundraising community* and that concerns me.
If your nonprofit has even one constituent in the European Union, this regulation is something you need to be aware of and comply with.
If this is news to you, what follows are some top-line issues to get you up to speed. At the end, I’ll point you to helpful resources to help you get prepared.
Ignorance of the law won’t protect your organization, and penalties for violations may be steep – in the tens of millions of dollars up to 4% of an organization’s total annual global revenue, so this is something to take seriously.
If your organization hasn’t talked to expert counsel to be prepared for GDPR compliance, there’s no time to lose at this point.
Some key things to know
It doesn’t matter that your nonprofit isn’t in the EU
The GDPR covers privacy as it relates to individuals resident in the European Union, but companies and nonprofits everywhere in the world must be in compliance. Even if your organization is based in the US or Canada, if you have any kind of constituent (an alumna, donor, student, volunteer, past or current patient) living in the EU, then your organization must be in compliance.
The data doesn’t have to be strictly private or confidential
It just needs to be able to personally identify someone. Even if you’ve only collected someone’s IP address or mobile phone number when they’ve visited your site or bought a performance ticket, that can count as “personally identifiable.”
This isn’t (primarily) a data security protocol (although that is certainly part of it).
This is about the actual data you hold on someone and what you are allowed to do with it. In order to know what you hold, you have to find out where (and what) it all is.
This means that, at colleges and universities (for example), the Admissions Office, Advancement, the Dean’s office, Marketing/Communications, Institutional Research, the athletics department, the residence halls, and anywhere else that holds data on students, alumni, parents, donors, ticketholders, and friends will need to know what they hold, where they hold it, what they’re doing with it, and how to access it.
Your nonprofit may need to hire a designated data protection officer (DPO) …
…if you process certain types of volumes of data. That DPO will need to stay up on current regulation, oversee compliance, document and track all the places your organization keeps data (and what it consists of). If your nonprofit already has a HIPAA compliance officer, that person would be a logical choice for this added role.
You’ll be required to let EU constituents know their rights
EU residents will have the right, among other things, to control how you collect and use their data. They can ask you to tell them everything you hold on them and then tell you to delete it, known as the “Right to be Forgotten.” It’s your responsibility to communicate their rights to them, and to let them know exactly what you’re doing with their data. That may be via email communication, in a privacy policy on your website, in regular mailings, via text, or all of the above.
You’ll need to decide if you will comply following Legitimate Interest or Consent
Is processing or holding certain types of data in the legitimate interest of your organization to interact better with a constituent, or do you need to obtain their consent at the outset and regularly afterwards to hold and process that information? Whichever way you decide to follow the GDPR will impact your internal policies, how you communicate with your constituents, and when you must let them know how you intend to use the data they share (or that you find through research, surveys, etc.).
This may seem like a lot to be aware of, but honestly this is just the tip of the iceberg.
Take some first steps:
- Your organization’s leadership should confer with your nonprofit’s legal counsel about your responsibilities to abide by GDPR.
- Talk to colleagues at organizations like yours and find out what they’re doing. Organizations in the UK are in the same boat as we are and have been preparing for many months already, so if you have a colleague there, reach out to them.
- Look to professional associations and consultants to help guide you. CASE, for example, has sponsored or co-sponsored several conferences and has articles in their library on GDPR compliance.
Take advantage of the resources available for nonprofits on GDPR
These are just a few…
EUROPEAN COMMISSION
The EC has published its own webpage with information about the Regulation and data protection, with a library of white papers, guides, and further information links. You can find it here: https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en
FACTARY
The Factary’s superb compilation of GDPR resources is here: https://factary.com/gdpr-resources/ with general information about GDPR, how it relates to fundraising and prospect research, and resources on privacy impact assessments. A one-stop-shopping, well-curated selection.
AACRAO
Knowledgeable and helpful experts present in this free webinar series from the American Association of Collegiate Registrars and Admissions Officers. There are several case studies and “what if” scenarios explored:
Webinar 1 – Building Awareness of the EU’s General Data Protection Regulation (GDPR): A Discussion
Webinar 2 – GDPR: A Legal Interpretation for Higher Education
Webinar 3 – GDPR: Step-by-Step Preparation
INSTITUTE OF FUNDRAISING
The IoF has put together a series of helpful guides and events to help nonprofits prepare for when GDPR takes effect. Check them out here: https://www.institute-of-fundraising.org.uk/guidance/research/get-ready-for-gdpr/
Follow experts on LinkedIn and other social media
Adrian Beney, More Partnership
Adrian Salmon, Grenzebach Glier + Associates
Nicola Williams, The Factary (@Factary)
What other resources have you found helpful? Click ‘Leave a comment’ at the top of this article and share your tip!
*CASE has an article about GDPR coming out in the next issue of Currents. I’ll link to it here when it’s published. I searched both the AFP website and the session description for the upcoming AFP International Fundraising Conference and found no mentions.
