Data Protection Regulations Include U.S. Not-for-Profits
Most U.S. not-for-profits have paid little attention to the European Union's (EU's) General Data Protection Regulation (GDPR), which took effect May 25, 2018. The GDPR revises the standards for privacy rights, information security and compliance in the EU. But, because the GDPR applies to all organizations — inside and outside the EU — that access or process data about persons in Europe, unsuspecting U.S. organizations could fall under these requirements.
The regulation's requirements are much stricter than any existing U.S. privacy standards. For example, they define "personal data" to include a wide range of personal identifiers, including name, address, Social Security or identification number, email addresses, location data and online identifiers such as cookies or IP addresses. With such a broad definition, odds are that your organization collects at least some data subject to the rules.
It is important to note that the GDPR applies to companies outside the EU that process or hold the personal data of "data subjects" (defined as identifiable natural persons) who are physically in the EU. It does not matter where the processing takes place or whether the subjects are EU residents.
The GDPR establishes strict requirements for how organizations must manage personal data. Among other topics, it includes provisions related to:
- Data security and data governance, including the mandatory appointment of a data protection officer in certain circumstances;
- Consent to processing;
- Mandatory breach notification within 72 hours of discovery;
- Access to personal data and data erasure (the "right to be forgotten");
- Data portability; and
- Cross-border data transfers.
Rights of Individuals
The most notable provisions for not-for-profits address consent, disclosure and the right to be forgotten. The GDPR requires organizations to obtain consent from individuals to collect their personal data. You cannot just add new donors' email addresses to your system or require them to opt out of communications.
Instead, consent requires an affirmative action by the individual, such as clicking on an "I agree" statement, and the personal data you already possess is not grandfathered in. You must obtain consent on that data or purge it completely from all your systems (including employees' spreadsheets and Outlook contact lists).
You also must disclose to individuals the data you collect on them on request, so you will need to keep close track of such information. And if an individual asks to be forgotten, you must delete all of his or her data or anonymize it, across all departments and, where applicable, with third-party vendors that have had access to the data.
Proceed with Caution
A serious violation of the GDPR can bring a penalty as high as 20 million euros (about $23 million) or 4% of the violator's annual revenue, whichever is higher. While questions remain about enforcement in the United States, it is certain that few not-for-profits could survive such a hit. You need to determine whether your organization's practices abide by the rules and develop a compliance plan for employees, volunteers and third-party vendors.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.