GlobalGiving’s Chief Product Officer explains how the EU’s landmark data privacy legislation could impact operations at your nonprofit.
Is your nonprofit ready for the General Data Protection Regulation (GDPR)? It goes into effect on May 25, 2018.
This new European Union regulation applies to any organization that processes and handles data about EU citizens, even if the organization is based outside of the EU. This means that if you have donors in the EU or your website has visitors from the EU, then you should be aware of this important regulation.
*Here are six important facts every nonprofit leader needs to know about GDPR:
1. GDPR applies when you have data that can identify an individual human.
GDPR aims to ensure citizen privacy through far-reaching regulations on all individually identifiable data. This means GDPR is in effect whenever you have data that can uniquely identify an individual, such as name, email address, postal address, or IP address. This definition is broader than past privacy laws, and it may impact data that previously was not subject to regulations. GDPR applies to all data about EU citizens. While it’s tempting to think you only need to apply these changes to EU donors, the EU Parliament anticipated this approach and the legislation notes that “incorrect classification can lead to penalties.” As a result, many nonprofit organizations are considering a global approach.
2. GDPR establishes new basic rights for individuals.
Individuals have a number of additional rights, explained in the table below, that are granted to them under GDPR.
Right to be forgotten:
An individual may request that an organization delete all data on that individual without undue delay.
Right to object:
An individual may prohibit certain data uses by easily being able to opt-in and opt-out of activities.
Right to rectification:
Individuals may request that incomplete data be completed or that incorrect data be corrected.
Right to action:
Individuals have the right to know what data about them is being processed and how.
Right of portability:
Individuals may request that personal data held by one organization be transported to another.
You will need to review how your organization handles and processes data and develop procedures to ensure that you can comply with these rights. For instance, if a donor writes to you asking for a copy of all of the data that you have on them, can you provide it easily? What if they ask to erase all data of them from your systems? New tools and procedures may need to be built depending on how your existing processes are configured.
3. You need to have a lawful basis for processing information.
In order to process individual data under GDPR, your organization must have a lawful basis to do so. GDPR defines six lawful processing reasons but when fundraising, there are likely only two that apply: consent and legitimate interest. (The other four relate to complying with court orders, contractual obligations, protecting vital interests of a living person, or for the public interest.) Below, are each of the most likely reasons for nonprofits to process information:
Consent is one of the fundamental aspects of the GDPR, and organizations must ensure that consent is obtained in accordance with the GDPR’s strict new requirements. You need to obtain consent from users and contacts for each use of their personal data (unless you can rely on a separate legal basis). The surest route to compliance with GDPR is to obtain explicit consent from an individual to give you permission to process their data. Keep in mind that GDPR makes some specific requirements around consent:
- Consent must be specific to distinct purposes. You cannot rely on a “I agree to the Terms and Conditions” as a general catchall. Each distinct purpose and usage has to get specific and separate consent from the user. Silence, pre-ticked boxes, or inactivity does not constitute consent. Data subjects must explicitly opt-in to the storage, use, and management of their personal data.
- Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent. You cannot change the purpose of the consent after the fact, but you can ask for new consent.
Legitimate interest is defined as a common sense expectation for processing the data that aligns with both the interests of the organization, as well as the interests of the individual. The interests and rights of the individual trump those of the organization, and as such, this is the weakest legal basis that can be used. GDPR much prefers and recommends using consent. Still, there are legitimate uses for relying on legitimate interest.
For example, when processing a donation, if the user fills in their credit card and clicks a button to “complete donation,” there’s a legitimate interest for passing their credit card information to the bank to handle the charge, to record the transaction in a database, to run fraud prevention checks, and to email a receipt to confirm the transaction. The donor would not expect to have to opt-in to each of those uses separately and would reasonably assume that you would need to process their data in this manner. Legitimate interest, however, would not be a basis for you to add the same donor to your newsletter or marketing emails. For that, you should consider getting opt-in consent.
In short, GDPR is all about making it clear to citizens how their data is being used and to give them an opportunity to opt-in or out of said processing at any time.
4. There are limitations for transferring information from an EU citizen outside of the EU.
The GDPR limits your ability to transfer personal data outside the EU.
If you are based outside of the EU, you should check to see if your country is on the list of approved EU destinations that provide an adequate level of protection.
If not, you may need to take additional measures to ensure that there is a sufficient level of protection for data and may need to ask the user for permission to transfer their data outside of the EU. If you are in the United States, you may want to explore obtaining EU-US Privacy Shield certification.
5. You should conduct a privacy and security audit.
Due to the scope of the regulation, you should conduct a privacy and security audit. If you don’t already have a security policy in place to protect your data, you should establish one. If you already have a policy, you should review it and ensure that it also covers any additional aspects or gaps around data privacy.
6. GlobalGiving began GDPR preparations in the fall of 2017.
*This article is provided as a resource, but does not constitute legal advice. We encourage you to speak to a legal practitioner in your area to learn how the GDPR may affect your organization.
Featured Photo: Help Older People Learn Basic IT Skills by Age Action Ireland