This blog post is for informational purposes only and is not intended to act as legal advice. Please consult with legal counsel to determine how GDPR may impact your business.
By now, you’ve probably heard about the European Union’s new set of privacy laws called the General Data Protection Regulation (GDPR). As the deadline for compliance draws near, there may be actions that your organization may need to take. Read on to find out how the GDPR may affect nonprofits.
What Is the GDPR?
The GDPR is a privacy regulation of the European Union (EU) which will go into effect on May 25, 2018. The legislation was created to put stronger protections on the personal data of EU citizens and to require that all businesses that control or process personal data of EU citizens are doing so in a secure and transparent way.
Arguably, the most important fact to remember is that the regulations apply to non-EU businesses and nonprofits just the same. All organizations that have collected personal data of EU citizens (as defined in GDPR)—whether they are employees, donors, volunteers, or beneficiaries—are affected and will be responsible for GDPR compliance.
There are significant penalties for noncompliance, including but not limited to a fine of up to four percent of an organization’s global revenue. Additionally, as data protection continues to be a major concern for the nonprofit industry, your organization could face public backlash for noncompliance resulting in a loss of support from partners, donors, and members.
GDPR Compliance for Nonprofits
According to the Information Commissioner’s Office (ICO), nonprofits can be “data controllers” and “data processors” (depending on the situation) and thus subject to GDPR compliance in several ways, which may include:
- As an employer processing data of volunteers, trustees, and employees
- As a provider of services to beneficiaries
- As a fundraising or campaigning organization
Similarly, individual fundraisers also need to be educated on GDPR since they could be acting as data controllers if they collect supporter data while fundraising on behalf of a nonprofit. If you have a current or upcoming peer-to-peer campaign, it’s your responsibility to inform fundraisers and ensure their processes are compliant, as well.
How Does This Affect My Nonprofit?
In order for your nonprofit to be compliant, you must be transparent and meticulous when it comes to the collection and processing of personal data. This applies to the data of employees, volunteers, donors, supporters—anyone from whom your nonprofit collects personal data. Organizations must have a written policy and procedure for how they handle personal data and abide by the privacy principles.
The legislation also requires compliance with the eight principles for data protection which are listed below.
The GDPR provides the following rights for individuals:
- The right to be informed about the collection and use of personal data
- The right of access to their personal data and supplementary information
- The right to rectification of inaccurate personal data or completion of incomplete data
- The right to erasure of personal data
- The right to restrict processing which allows an organization to store data but not use it
- The right to data portability which allows individuals to safely and securely obtain and reuse their own data for their own purposes
- The right to object to processing based on legitimate interests, direct marketing, and for purposes of research
- Rights in relation to automated decision-making and profiling
How Does My Nonprofit Become Compliant?
Nonprofits are still allowed to use marketing tactics to promote, fundraise, and engage with donors, but the data processing must be done according to the six lawful bases outlined by GDPR legislation.
The following list is taken from the GDPR and Charitable Fundraising Introduction guide and as they have written it, the six lawful bases are:
- Consent: You can show that an individual has performed a clear affirmative action (such as saying “yes” to a question or ticking an opt-in box) to allow you to process their personal data for a specific purpose. Pre-checked boxes don’t constitute consent.
- Contract: The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: The processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: The processing is necessary to protect someone’s life.
- Public task: The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: The processing is necessary for your legitimate interests or the legitimate interests of a third party unless the interests or rights and freedoms of the individual override those interests (this cannot apply if you are a public authority processing data to perform your official tasks).
The ICO lists the following data protection tips for small to mid-sized nonprofits:
- Tell people what you are doing with their data. One of the most important principles of GDPR is that organizations are open and honest about how data will be used.
- Train all staff, members, and volunteers on data protection and how to store and handle all personal data.
- Use strong passwords to help keep information secure.
- Encrypt all portable devices that hold personal information.
- Establish retention periods and only retain personal information for as long as necessary.
Remember that these tips are simply a jumping-off point to prepare your team for the processes and regulations that will be added to your organization’s data processing. For more information, read through these additional resources on how this change will impact your organization and what your next steps should be.
- GDPR: A Guide for Charities
- Created by: Charity Finance Group
- GDPR and Charitable Fundraising Introduction
- Created by: Institute of Fundraising, Fundraising Regulator, and reviewed by ICO
- Preparing for the GDPR, 12 Steps to Take Now
- Created by: ICO
- Self-Assessment Checklist
- Created by: ICO
Classy and the GDPR
Here at Classy, we’re relentless in our dedication to the privacy and security of our customers’ data, and our team is fully committed to GDPR compliance.