PSA To Nonprofits: GDPR May Apply to You

By Beth Bacon, Director of Policy and Privacy, Public Interest Registry
(This article was originally published on Social Fish)

If you’ve been keeping up with the news over the past several months, then you’ve likely heard about the General Data Protection Regulation (GDPR), a data privacy regulation coming out of the European Union that goes into effect on May 25, 2018. But what you may not know, is that unlike many global policy directives, there is no exception to GDPR for nonprofit organizations. So regardless of how large or small your nonprofit is and whether you’re based within or outside of the European union, GDPR may impact your organization.

So what is GDPR? In short, GDPR is an EU regulation that outlines the requirements for how companies process personal data from the EU. Nonprofits working with donors, volunteers, beneficiaries, members or grantees from the EU will need to adjust the way they communicate with, market to, and collect information from these stakeholders.

While large multinational corporations are working to get up to speed on all the changes that will come with the implementation of GDPR, as a nonprofit that has grown accustomed to exceptions you may not realize that this law applies to you. Unfortunately, the cost of wrongly assuming that GDPR will not impact you could be steep. The GDPR authorizes a maximum penalty for noncompliance with the principles of the GDPR as a fine of up to 4 percent of an organization’s annual worldwide revenue or €$20 million (whichever number is higher). While it is certainly not expected that Data Protection Authorities (DPAs) will go to the maximums penalties for every infraction, even the risks of smaller fines or reputational damage could be significant for small businesses and non-profits.

With May just around the corner, it’s critical that you take a hard look your nonprofit’s policies and practices to be certain whether GDPR applies to you, and if it does, to identify the best path to compliance. What follows are a few tips on how to jump-start the process.

Determine whether GDPR applies to your organization.

First things first, you must determine whether your organization will be impacted by GDPR. Even if you are an organization operating outside of the European Union, it’s important that you take a thorough look at your organization’s activities and data processing to determine whether your organization’s activities fall under the scope of the GDPR. If your organization has an establishment in Europe or directly markets to people in Europe, the GPDR could impact your work. In addition, if you have partner organizations or service providers in Europe, your organization may be bound by requirements of the GDPR. This could apply to nonprofits processing donations from Europe or even nonprofits marketing to individuals within the EU. The rules around this are nuanced and complex, so it’s essential you work closely with your IT departments and/or outside counsel get up to speed quickly on what personal data that is being collected and processed.

Bring together representatives from across your organization.

As you begin the GDPR compliance process, it’s important to bring together leaders from marketing, accounting, community relations, HR, IT, legal and more to ensure you have a clear understanding of the types of personal information you process as an organization. Additionally, if your organization qualifies as a data controller under GDPR and works with third-party vendors (e.g. cloud providers, payroll service providers, or software service providers), it’s your responsibility to ensure that these vendors who have process the data on your behalf are also compliant.

Audit the personal data you have access to.

The GDPR covers personal data, which includes quite a variety of information. Some of the types of data that are characterized as “personal” include individuals’ names, addresses, and ID/social security numbers; web data including location, IP addresses, cookie data and RFID tags; health, genetic, and biometric data; information related to race, ethnicity, sexual orientation and political opinions as well as photos and social media posts. It’s critical to understand the breadth of what constitutes personal information so you can conduct a full-scale audit of your data practices and determine where your organization may come into contact with this type of information.

Identify the types of activities that will be impacted.

Bringing together the right people internally and understanding the breadth of what qualifies as “personal data” will also help your organization identify the activities impacted, which could include (but are not limited to): organizing volunteers, partnerships with other organizations (e.g. potential information sharing, ensuring partners’ compliance), marketing practices, purchasing donor lists, email and contact information collection, data management and legal contracts. Once these activities are identified it’s time to work towards creating new policies and processes that appropriately protect EU personal data.

Update processes to comply with new rules.

The GDPR provides several mechanisms to continue to process EU personal data (e.g. consent, legitimate interests, adequacy, etc.), but not all are applicable to every organization, so you will have to evaluate which mechanism best applies to your organization. If data is collected and stored in a way that is GDPR-compliant, organizations also have a responsibility to provide a “reasonable” level of data security. Security without privacy is possible, but appropriate privacy protections can’t be achieved without appropriate security. In addition, to getting your security practices and privacy policies updated and in place, you should consider how your organizations will address other GDPR requirements such as the enumerated data subject rights and the 72-hour data breach reporting requirement.

Ask for outside help if you need it.

If you are a small nonprofit or a nonprofit without sufficient resources to handle a compliance process this complex you should not hesitate to seek outside counsel for guidance and to ensure you are meeting requirements ahead of the May 25 deadline.

Act now.

Our final recommendation is simply to act fast. May 25th is quickly approaching and if you have yet to begin the compliance process or are only just beginning, it’s important to make this a top organizational priority. The process can be lengthy and the rules can be difficult to interpret so you should not delay in bringing together experts and launching a thorough look into your data management and processing practices. Determine the areas and issues that could represent the highest risk to your organization and develop a plan to remediate those issues as well as a plan to address remaining lower risk issues.  The cost of noncompliance is not only monetary but reputational. As a nonprofit organization, you should be ready to demonstrate that you are implementing policies and practices that prioritize the privacy and security of your donors, beneficiaries, and volunteers, and becoming GDPR-compliant is a good place to start.

Remember, while many of the GDPR requirements can be intimidating and nuanced they allow for the use of best practices, and are aimed at having organizations thoroughly self-assess to identify your specific compliance needs.  Making the best and most informed effort possible for your organization is a priority.

For more information on GDPR compliance please visit the European Commission’s Data Protection webpage or the International Association of Privacy Professionals.