The GDPR and Your Nonprofit

What you need to know to be prepared

The GDPR and Your Nonprofit

The General Data Protection Regulation went into effect May 25, 2018, in the European Union. Before you scroll away because you think the GDPR is not relevant to you or your nonprofit, please answer a few questions:

  • Do you conduct online fundraising or online campaigns?
  • Do you sell nonprofit merchandise globally?
  • Do you have donors or constituents who have dual citizenship in the United States and the European Union?
  • Do you have digital donors who live in the European Union?
  • Do you have any personal data on an EU resident (e.g., an email address, location, birthdate, or physical address)?

If the answer to any question is yes, then the GDPR is actually relevant to your nonprofit. If the answer is “possibly” or “soon,” then you should get ahead of compliance and be sure your nonprofit is prepared. The European Union is a first mover in setting digital privacy and data standards that greatly affect international trade, e-commerce, and e-communication. Other countries are looking to the GDPR as a model to create their own digital data privacy standards.

Data protection is at the forefront of global business conversations, and your nonprofit should know about the GDPR and be prepared.

This blog will cover the following topics:

  • What is the GDPR?
  • What is data, as defined by the GDPR?
  • GDPR basics
  • How to comply with the GDPR
  • How CharityEngine can help with your constituent data management

This article’s goal is to bring general knowledge of the GDPR and information about its relevance to our nonprofit partners. We are not offering legal guidance at all, and we advise all organizations to seek professional, expert legal advice in order to fully understand the GDPR.

1. What Is the GDPR?

The General Data Protection Regulation, or the GDPR, is the European Union’s new code of laws set to protect EU residents’ personal data, particularly via digital platforms.

To do this, the GDPR establishes standards of practice for data protection, transparency, record keeping, data systems, and more. Failure to comply could result in expensive fines (4 percent of an organization’s total revenue or the equivalent of 20,000,000 euros, whichever is higher).

US nonprofits that just collect data from EU residents are also subject to GDPR’s requirements and are vulnerable to its penalties.

2. What Is Data, as Defined by the GDPR?

What Is Data, as Defined by the GDPR?

Nonprofits that collect any data of EU residents are responsible for that data and must comply with the GDPR. Per the GDPR, data are defined explicitly.

The term is defined in Art. 4 (1). Personal data are any information which are related to an identified or identifiable natural person.

The data subjects are identifiable if they can be directly or indirectly identified, especially by reference to an identifier such as a name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons. In practice, these also include all data which are or can be assigned to a person in any kind of way. For example, the telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data.

Since the definition includes “any information,” one must assume the term “personal data” should be interpreted as broadly as possible.

This is from a GDPR guidebook provided by DLA Piper, a global law firm.

By definition, “data” is exhaustive. Any information you have on an EU resident must be protected. When it comes to the GDPR, it’s best to be proactive and cautious.

3. GDPR Basics

GDPR Basics

The GDPR is designed to enforce digital personal data protection with these foundational premises:

  • Apply principles of “privacy by design” and “privacy by default” into the process of developing and launching new technologies, products, services, and more.
  • Conduct routine privacy impact assessments.
  • Enforce the right to access data.
  • Uphold the right to be forgotten.
  • Instate new rules for profiling and using children’s data.
  • Notify supervisory authorities of a data breach.
  • Impose high fines for noncompliance (the higher of two options: 20,000,000 euros or 4 percent of an organization’s total revenue).

4. How to Comply with the GDPR

How to Comply with the GDPR

The premise of the GDPR is that you must protect your constituents’ data. EU residents have rights to their data, and if an organization fails to comply, the fines are high.

Here are some general steps to consider so you can comply with GDPR:

  1. Get consent from constituents.
  2. Notify customers, data controllers, and other required security authorities within seventy-two hours of a data breach.
  3. Give constituents the right to access all their data and to see how it is being used.
  4. Uphold your constituents’ right to be removed, deleted, or erased from all databases.
  5. Uphold your constituents’ right to use the data you have on them outside your organization.
  6. Design your organizational data systems with the proper data privacy and security requirements from the beginning.
  7. Hire a data protection officer or manager.

There are a lot of resources available, but to ensure your organization is complying fully with the GDPR, nothing replaces expert legal guidance. Always consult legal experts to make sure your nonprofit is complying with the GDPR.

5. How CharityEngine Can Help with Your Constituent Data Management

Click here to download complete PDF of this example record.

With the GDPR, all EU residents have the right to access their data. That means they have the right to know, to freely download, and to use all the information you have about them. This must be free of charge. They also have the right to know how you are using their personal data.

CharityEngine’s secure software not only tracks constituent data but can present it in real time. Any constituent who interfaces with your nonprofit through CharityEngine’s services can download a simple, straightforward PDF containing this information. It is that easy. CharityEngine also makes data management easy with a user-friendly dashboard and self-service portal.

The GDPR is comprehensive and complex. It has to be as it is the legal basis for protecting millions of people who share personal data across so many digital (and nondigital) platforms in order to conduct day-to-day business. Indeed, as the economy and nonprofit efforts continue to globally expand, this system is bound to only get more complicated.

If you are interested in learning more about how CharityEngine can help you manage your data, schedule a brief and convenient free demo with us, and then download a free trial. Let us show you why and how CharityEngine can help your nonprofit succeed.

Note: This article is an overview of the GDPR. It explains what it is and some essential details to further understand it. Your business or nonprofit should consult legal experts and data protection officers to be certain you organization is or is not at risk regarding compliance with the GDPR.

Start your 7 Day - Free Trial today. Start growing.

Powered by CharityEngine ®