GlobalGiving’s Chief Product Officer explains how the EU’s landmark data privacy legislation could impact operations at your nonprofit.
Is your nonprofit ready for the General Data Protection Regulation (GDPR)? It goes into effect on May 25, 2018.
This new European Union regulation applies to any organization that processes and handles data about EU citizens, even if the organization is based outside of the EU. This means that if you have donors in the EU or your website has visitors from the EU, then you should be aware of this important regulation.
*Here are six important facts every nonprofit leader needs to know about GDPR:
GDPR aims to ensure citizen privacy through far-reaching regulations on all individually identifiable data. This means GDPR is in effect whenever you have data that can uniquely identify an individual, such as name, email address, postal address, or IP address. This definition is broader than past privacy laws, and it may impact data that previously was not subject to regulations. GDPR applies to all data about EU citizens. While it’s tempting to think you only need to apply these changes to EU donors, the EU Parliament anticipated this approach and the legislation notes that “incorrect classification can lead to penalties.” As a result, many nonprofit organizations are considering a global approach.
Individuals have a number of additional rights, explained in the table below, that are granted to them under GDPR.
Right to be forgotten:
Right to object:
Right to rectification:
Right to action:
Right of portability:
You will need to review how your organization handles and processes data and develop procedures to ensure that you can comply with these rights. For instance, if a donor writes to you asking for a copy of all of the data that you have on them, can you provide it easily? What if they ask to erase all data of them from your systems? New tools and procedures may need to be built depending on how your existing processes are configured.
In order to process individual data under GDPR, your organization must have a lawful basis to do so. GDPR defines six lawful processing reasons but when fundraising, there are likely only two that apply: consent and legitimate interest. (The other four relate to complying with court orders, contractual obligations, protecting vital interests of a living person, or for the public interest.) Below, are each of the most likely reasons for nonprofits to process information:
Consent is one of the fundamental aspects of the GDPR, and organizations must ensure that consent is obtained in accordance with the GDPR’s strict new requirements. You need to obtain consent from users and contacts for each use of their personal data (unless you can rely on a separate legal basis). The surest route to compliance with GDPR is to obtain explicit consent from an individual to give you permission to process their data. Keep in mind that GDPR makes some specific requirements around consent:
Legitimate interest is defined as a common sense expectation for processing the data that aligns with both the interests of the organization, as well as the interests of the individual. The interests and rights of the individual trump those of the organization, and as such, this is the weakest legal basis that can be used. GDPR much prefers and recommends using consent. Still, there are legitimate uses for relying on legitimate interest.
For example, when processing a donation, if the user fills in their credit card and clicks a button to “complete donation,” there’s a legitimate interest for passing their credit card information to the bank to handle the charge, to record the transaction in a database, to run fraud prevention checks, and to email a receipt to confirm the transaction. The donor would not expect to have to opt-in to each of those uses separately and would reasonably assume that you would need to process their data in this manner. Legitimate interest, however, would not be a basis for you to add the same donor to your newsletter or marketing emails. For that, you should consider getting opt-in consent.
In short, GDPR is all about making it clear to citizens how their data is being used and to give them an opportunity to opt-in or out of said processing at any time.
The GDPR limits your ability to transfer personal data outside the EU.
If you are based outside of the EU, you should check to see if your country is on the list of approved EU destinations that provide an adequate level of protection.
If not, you may need to take additional measures to ensure that there is a sufficient level of protection for data and may need to ask the user for permission to transfer their data outside of the EU. If you are in the United States, you may want to explore obtaining EU-US Privacy Shield certification.
Due to the scope of the regulation, you should conduct a privacy and security audit. If you don’t already have a security policy in place to protect your data, you should establish one. If you already have a policy, you should review it and ensure that it also covers any additional aspects or gaps around data privacy.
*This article is provided as a resource, but does not constitute legal advice. We encourage you to speak to a legal practitioner in your area to learn how the GDPR may affect your organization.
Find exactly what you're looking for in our Learn Library by searching for specific words or phrases related to the content you need.