If you’re like many non-profits, associations or charities, you’re perpetually understaffed and resources are in short supply. Staying aware of regulations and laws that might impact your organization can be a challenge.
To that end, it may have recently come to your attention that there is a new European Union (EU) regulation that may apply to you called the General Data Protection Regulation, or GDPR for short. GDPR is designed to protect the privacy of EU citizens and workers. It will roll out officially on May 25, 2018, and will impact any U.S. based organization that processes personal data for anyone located in the EU.
If your organization only has offices in the U.S., you might assume that GDPR doesn’t apply to you. But that’s not necessarily true. GDPR may affect you after all, and the consequences of not knowing can be devastating.
If you’re actively marketing in the EU or have members or donors in EU countries, GDPR definitely applies. But it may also apply even if you simply have a database of donors, volunteers or members that at one time or another have expressed interest in your organization or signed up to receive your newsletter.
What counts as ‘personal data’ under GDPR?
GDPR defines ‘personal data’ as anything that can be used to directly or indirectly to identify an individual, including but not limited to:
- Identification Number
- Location Data
- Online Identifier
- IP Addresses
Another important component of GDPR is ‘processing,’ which means any operation or set of operations which is performed on personal data. This includes:
- Adaptation or alteration
- Disclosure by transmission
- Dissemination or otherwise making available
- Erasure or destruction of that data
According to GDPR:
- Data should be collected with explicit consent, and all users should know exactly what their data will be used for.
- Data collection and retention should be limited only to what your organization absolutely needs to know about a user.
- Your organization should be able to demonstrate that a request for consent was presented clearly, and that that data isn’t being sold, modified, or otherwise misused.
- Systems shouldn’t rely on outdated or years-old data for marketing purposes, and if users wish to update their data or withdraw consent, they should be able to easily do so.
- Data needs to be kept in a safe place and processed in a way that safeguards the people to whom the data belongs.
Why You Need to Comply
Keep in mind that this regulation is about protecting the privacy of individual people. Therefore, if you have any information about anyone in a EU country, you need to comply with GDPR or face devastating fines. Low-penalty fines are €10M or 2% of the annual turnover - whichever is higher. For high-penalty fines, those numbers double.
The nuances of GDPR are tricky and unless you have strong IT and legal support, you may not understand all the implications and miss areas that need to be remediated. You don’t need to go through this alone, though.
FFW has established a Center of Excellence to help organizations become compliant. If you have questions or would like to learn more about our services, please contact us today.