GDPR: What Fundraisers Need to Know

One of the tenets of the Donor Bill of Rights is: “To be assured that information about their donation is handled with respect and with confidentiality to the extent provided by law.” As a nonprofit, you are most likely aware of donor data privacy issues and are managing your database responsibly. However, recent changes enacted by the European Union may change the parameters for your donor data management.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy, providing a set of standards and rights for European citizens in this digital age economy. The primary objective of GDPR is giving consumers control of their personal data as it is collected by companies and organizations. This piece of legislation was approved in April 2016, and European authorities provided a two-year window for companies and organizations to transition and ultimately comply with the new data standards. This regulation will now be enforced starting May 25, 2018, along with potential fines of up to 4 percent of total annual global turnover (or €20 million) if rules in the GDPR are breached.

Is my charity affected?

While the United States has not officially adopted this new data compliance, it’s important to remember that digital data travels instantaneously across the world. GDPR provides protection beyond defined country borders. The GDPR will not only apply to organizations located within the EU, but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the EU, regardless of the company’s location. It is our recommendation that you review your constituent base and identify any European contacts that should be addressed.

This definition can be a bit confusing. Keep this in mind when trying to understand the regulation: It is not the citizenship of the person that is important, but where they are situated. For example, an EU citizen temporarily living in the United States is not covered by this regulation. In contrast, a U.S. citizen who is temporarily living in France is covered.

GDPR Compliance

To be GDPR compliant, an organization must gather data legally, handle and store consumer data responsibly, and provide donors with easy access to their personal information to control, monitor, and delete any information pertaining to them. Organizations will be obligated to protect all collected data from misuse and exploitation. The regulation mandates that the Information Commissioner's Office (ICO) in the UK must be told about a breach 72 hours after an organization finds out about it. Furthermore, it requires that the impacted persons must also be informed. The ICO is the official regulator that has the power to conduct investigations and issue penalties for GDPR offenses.

Another key point of GDPR is centered on “consent” and opt-in communications. The general standards have been strengthened to mandate a clear explanation that positive opt-in is being given. The old “pre-checked” box of opt-in for future communications is no longer valid under GDPR. For more detailed information on GDPR compliance requirements, visit the GDPR Key Changes site.

Summary

In 2018 alone, there have been massive data breaches publicized from Facebook, Yahoo!, and numerous large companies for everything from retail to health care. With so much exposure, the topic of data protection is top of mind across the world. If you have any questions about GDPR, please visit the GDPR website, contact your customer service manager, or email info@truesense.com.