The General Data Protection Regulation (GDPR) is coming, and your nonprofit needs to be ready. While this is a European Union law, it impacts every organization that works with people from the EU, and it does not exempt not-for-profit organizations.
If your nonprofit is involved with donors, volunteers, or other constituents from the EU, pay at-tention, because the GPDR goes into effect May 25, 2018.
There is no grace period for enforcement, as companies have had two years’ notice to get ready for GDPR. That means that organizations that are non-compliant after May 25th could face an immediate penalty.
What Does the GDPR Cover?
This regulation relates to how companies, including nonprofits, deal with personal data from members of the EU. Personal data includes names, addresses, identification numbers, web data, health data, demographics such as sexual orientation and ethnicity, photos, and social media posts.
The GDPR says that for individuals to have consented to share their data, they must:
• give it freely without having to share any unnecessary details,
• be informed of what is being asked and how to opt out,
• agree specifically to each instance of sharing,
• commit a positive action, i.e. saying yes rather than consenting by not taking action.
Some organizations are required to register if they keep records on personal data. People who have shared their data can request access to their data, correct errors in it, demand the data be deleted or erased, object to the processing of their data, and export their data. Under GDPR,
organizations have to send out a data breach notification to authorities within 72 hours of the breach occurring.
For nonprofits, this can impact everything from recruiting volunteers and marketing efforts to collecting contact information or sharing your organization’s work on social media.
Even if you’re providing free services or products to citizens of the EU, the GDPR may impact what you do.
The penalty for non-compliance is high—at up to four percent of an organization’s annual, global revenue, or €$20 million—whichever is higher. As you already know, even a small fine can be detrimental to a nonprofit. Organizations that are non-compliant could also face legal claims from individuals whose data is breached or at risk of breach.
Getting Your Nonprofit Ready for GDPR
Your organization must determine if it is covered under the GDPR’s mandate. That means that you must analyze every participant in your operations to determine if you have any establishment in the EU. Marketing toward the EU also counts, as could partnering with organizations and
providers with a presence in the EU.
All members of your nonprofit’s management should be involved in this audit, including HR, legal, and the tech department. Work with any outside vendors to ensure full compliance in that regard, too. You may need to get outside help, especially if your nonprofit is small and you do not have a lot of staff resources to spare.
When you have audited your information, you can then introduce and implement the policies, procedures, and programs that will ensure your company remains in compliance with GDPR
How To Comply with GDPR
Nonprofits need to switch from older data systems that hang onto information that cannot be stored under GDPR, as well as getting rid of any data that is not collected under GDPR rules. Appropriate documentation of compliance, and storage of data, is just as important. There are specific compliance programs and content management systems that can help with ensuring that the technical and organizational aspects of data are in good shape.
Training staff and volunteers on proper data protection is vital for compliance. Organizations may need – or wish – to employ a data protection officer. Vendor contracts should reflect adherence to GDPR.
Even if your nonprofit is not specifically affected by GDPR right now, it may be a good idea to implement these suggestions and become compliant with these regulations voluntarily. Data
privacy is of increasing importance and concern to regulators worldwide, and this type of
legislation could be implemented elsewhere.
Getting ready for stricter data laws now gives your organization time to thoroughly audit your information and roll out strategies that work from the start, instead of scrambling to meet
requirements on a short timeline.
Data protection and regulatory compliance are complicated, especially for nonprofits working with a global base. That does not mean that it cannot be handled, however, especially with the right programs and practices in place. The time is now to get ready for stringent data handling, no matter where your nonprofit is located or the work that you do.