What U.S. nonprofits need to know about GDPR

The General Data Protection Regulation (GDPR) is a standard data protection policy that covers how personally identifiable information (PII) is controlled and processed among all 28 European Union (EU) countries.

Further, GDPR extends the protection of personal data by giving control back to EU residents.

The GDPR defines ‘personal data’ as:

"any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”

The GDPR was approved by the EU Parliament in April 2016 and, after a twenty-four-month transition, takes effect in May 25, 2018.

What does the GDPR mean for U.S.-based nonprofits?

The GDPR imposes new strict standards on companies, government agencies, nonprofits and other organizations.  Regardless of location, an organization that offers goods and services to residents of the EU, or those that collect and analyze data tied to EU residents, are generally subject to GDPR standards.

GDPR covers postal mail, email and interest-based advertising.  There are provisions within the GDPR that cover explicit consent, how long you can store data (such as transaction and donor history), how you target, your data retention practices and how you handle data breaches.

Many organizations in the U.S. do not operate or have business in the EU or process information of individuals in the EU. For these types of organizations, the GDPR will not have an immediate impact.

However, many nonprofits do not know whether or not they may be collecting data from individuals in the E.U.

We know that every nonprofit is different and the GDPR takes a risk-based approach to data protection. Regardless of whether you mail to the EU, U.S. based nonprofits need to use this as an opportunity to take immediate action in improving data best practices (and because GDPR fines can be as much as €20 million, or 4% of an organization's worldwide revenue — whichever figure is greater).

What do nonprofits need to do now?

1) Perform a risk assessment:

• There are some exclusions for the applicability of GDPR based on size and location of companies so you should find out whether you meet one of the exclusions. If not, you should do the remaining steps in this section.

2) Look at your data:

• Do you have EU IP addresses in your Google Analytics?  Do you have donors on your file from EU countries?  If you don’t know—you need to find out.  Many U.S. based nonprofits are suppressing EU constituents from their emails/web, or purging those records altogether.

3) Document your processes:

• You need to have a written process and understanding of what data you’re collecting, where and how.  Call it a “data handling plan.”

4) Review and update your privacy policy:

• You need to update your privacy policy to account for how you are collecting and storing data. This includes terms of service, cookies and tracking.  Take a nod from Google, who just last week updated their privacy policy to comply with GDPR.  If you are active with digital media, there are key elements you should outline.  Ask your media partner for a recommendation on what data they are collecting, how they are using it, and how to articulate it in your privacy policy.

5) Update web applications to meet standards:

• From your donation forms to other web apps—if you don’t ask, you won’t know what is being captured by your partners.

6) Establish a data protection role:

• Someone within your organization should be appointed as the lead when it comes to data protection.  This includes an understanding of your organization’s practices around the GDPR, as well as how you handle and communicate a data breach, should it occur.

7) Review and revise your insurance policy:

• Cyber security is a real thing and there is insurance that can cover some of the costs of a cyber attack.  You should make sure you know how your organization is handling cyber security and whether it is in your best interest to get cyber insurance.

And what about the May 25, 2018 deadline?

It is a real deadline and the sooner you address any GDPR issues the better off you will be.

RKD has advised our clients to consider the following:

1. Segment and suppress EU donors from your file if they are not currently active (0-12 month)
2. Create and deploy a permission campaign for any EU based constituents
3. Implement a lightbox or modal on your website, triggered based on EU-recognized IP addresses, that asks users to confirm acceptance of your cookie policy

RKD Group is not providing legal or insurance advice in this article.  We suggest you consult with your attorneys and insurance provider regarding GDPR very soon if you have not already done so.  Those who are proactive will be looked upon as leaders in data security.

**Note: The above content is informative in nature and is not intended as legal advice. As a company that provides professional fundraising consulting services, we retain counsel to ensure compliance with fundraising laws in each applicable state. Questions related to the above content and GDPR regulations for US based nonprofits should be directed to counsel that is competent to address such matters.