GDPR Compliance: Will GDPR Affect Your Nonprofit?
As an entity that exists for the primary benefit of shareholders, the corporate world operates very differently from the nonprofit world. The rules and regulations are different, and corporate and nonprofit organizations are taxed differently. Yet, certain areas of the nonprofit world sometimes overlap their corporate counterparts. Governance principles are one area where corporations and nonprofits have somewhat of an overlap. Data protection is another important example of where both types of entities need to pay strict attention, especially with a new law from the European Union quickly approaching a compliance deadline. Nonprofits should be planning now for when the Global Data Protection Regulation (GDPR) goes fully into force on May 25, 2018.
It pays for nonprofits to keep a watchful eye on what is going on in the corporate world. Data protection is an area where nonprofit organizations can learn from listed companies about how to protect themselves. Penalties for all organizations can be steep, maxing out at 4% of the organization’s global turnover. Nonprofit organizations need to educate themselves about how GDPR could affect their organization, assess their risks, create a compliance plan, and put it into action within the next few months.
A Brief Overview of GDPR
GDPR was passed in April 2016. Knowing that corporations would need time to prepare for it, the EU government set a transition period for companies to comply with GDPR. The purpose of GDPR is to standardize data privacy measures across Europe.
The law protects certain kinds of data inside the EU and data that flows across EU borders, including businesses in other countries that use personal data for transactions involving services or goods within the EU.
Specifically, GDPR defines personal data as:
- Social Security numbers
- Email addresses
- Banking information
- Social media posts
- Medical information
- IP addresses
The Connection Between GDPR and Charities or Nonprofits
Since fundraising and marketing are primary activities for charities and nonprofit organizations, at first glance, it may see that there is no correlation to GDPR. However, GDPR directly pertains to data collection, even when it’s not being used for the purpose of rendering goods or services. Charities and nonprofit organizations collect a lot of personal data, such as the data that’s detailed in the list above. Nonprofits and charitable organizations have the same obligation to abide by GDPR as any other corporation.
What Do Nonprofits and Charities Need to Know When Collecting Personal Data?
Nonprofits and charities in the United States that comply with U.S. data breach laws will already have a leg up on in complying with GDPR. Laws in both countries outline the type of data that companies must protect, the rules by which they can obtain personal information, and steps they must take in the event of a data breach.
The rules for GDPR require companies to obtain consent from individuals and to collect without using forceful means. Companies can’t require individuals to give details that are unnecessary or unrelated to the transaction or donation. Nonprofits and charities must clearly communicate their intentions and inform their prospects accurately. Marketing efforts by nonprofits and charities must plainly instruct their prospects on how to opt in or out of communications.
GDPR Rules on Consent
Clear communication means leaving nothing to chance. Anyone responding to a nonprofit or charitable causes’ website, email or other marketing effort must be able to understand fully to what they are consenting.
Consents are a one-shot deal. Companies have no liberty to apply a one-time consent to future transactions or situations. Companies can’t change the original consent or refusal to consent later on without the individual’s approval.
Consent must be a positive action. This means that an individual has to click on something along the lines of, “Yes, I agree…” An individual that does not respond to a marketing attempt cannot be said to give their consent by the absence of an action.
Ways that Nonprofits and Charities Can Plan for GDPR Compliance
There are many ways for nonprofits and charities to prepare for GDPR compliance. To begin with, nonprofits need to be able to explain how and why they process personal data. They must also be able to explain any data that they share with third parties, and who the third parties are.
Besides following the rules stated above as they apply to obtaining proper consent, nonprofits need to have a plan to make sure they and their workers, volunteers and representatives don’t contact supporters or donors after they’ve withdrawn their consent or asked the nonprofit not to use their personal data.
Many charities and nonprofit organizations find that the best way to refrain from contacting people on their “do not contact” list is to use a Customer Relationship Management (CRM) system. A CRM helps to keep lists organized and will automatically remove individuals who’ve opted out or revoked their consent. A CRM system works well for organizations that have multiple volunteers working on marketing campaigns because the CRM updates the system in real time.
Because nonprofit organizations and charities rely heavily on the use of volunteers, it’s crucial for nonprofits to approach data protection on an organizational level. Organizations will need to develop a plan for educating and training volunteers in data protection compliance.
In addition to following the rules for consent and other parts of GDPR, corporations must also have a plan ready for the unfortunate experience of a data breach. The EU requires corporations to have a plan to contact an EU authority within 72 hours if they experience a data breach.
Larger nonprofits may consider enlisting the help of a part-time or full-time Data Compliance Officer (DPO). Nonprofits and charities with small budgets may prefer to seek a one-time consultation from a Data Protection Officer or look for a qualified individual in data protection who may be willing to serve on the organization’s advisory board.
Some Final Thoughts on Preparing for GDPR Compliance
GDPR can cost nonprofit organizations in the millions, which means that board members need to take this new legislation seriously in light of their fiduciary duties. Board members also need to make sure everyone else involved in the organization understands GDPR’s importance as well. Nonprofit board members would do well to weigh the costs of CRM and DPO as they relate to any potential risks or fines.
Data protection policies are part of good corporate governance, and they will continue to evolve in the coming years.