GDPR: What does it mean for your nonprofit?


As a nonprofit organization, it's incredibly important that you respect your donors' privacy. You likely have access to great amounts of personal information on your constituents, and those constituents are trusting that that personal information is FYEO.

Over the last month or so, you've probably been barraged with emails about the new General Data Protection Regulation (GDPR), which went into effect today. If you haven't received these emails, there's either something wrong with your inbox or you haven't subscribed to anything, ever. GDPR is a regulation in European Union law on data protection and privacy for anyone in the EU that addresses the export of personal data outside the EU. It sets guidelines and standards for collecting, storing and processing the personal information of individuals within the EU.

So, if you're a U.S.-based nonprofit, what does this mean for you? As a nonprofit, you manage copious amounts of data, including data from volunteers, employees and trustees. You may also provide services to beneficiaries and serve as a fundraising organization, which means you collect, process and control information and data.

Classy explains it perfectly:

"In order for your nonprofit to be compliant, you must be transparent and meticulous when it comes to the collection and processing of personal data. This applies to the data of employees, volunteers, donors, supporters—anyone from whom your nonprofit collects personal data. Organizations must have a written policy and procedure for how they handle personal data and abide by the privacy principles."

The Institute of Fundraising put together a guide to help nonprofit organizations assure that they are remaining compliant with GDPR. And while your nonprofit can still process personal data, it has to be done in a way that is in agreement with GDPR. The six bases for processing data, as written by the Institute of Fundraising, are:

  1. Consent: You can show that an individual has performed a clear affirmative action (such as saying “yes” to a question or ticking an opt-in box) to allow you to process their personal data for a specific purpose.
  2. Contract: The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  3. Legal obligation: The processing is necessary for you to comply with the law (not including contractual obligations).
  4. Vital interests: The processing is necessary to protect someone’s life.
  5. Public task: The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: The processing is necessary for your legitimate interests or the legitimate interests of a third party unless the interests or rights and freedoms of the individual override those interests. (This cannot apply if you are a public authority processing data to perform your official tasks).

This may all seem complicated and confusing, but there are steps that you can take to make sure that your team is up-to-speed and that your donors are feeling like their data is protected.

  1. Tell people what you're doing with their information and personal data.
  2. Make sure your staff and volunteers know how to handle data in a compliant way.
  3. Update usernames and passwords, especially in places where sensitive information may be stored.
  4. Don't store personal data forever. Have a plan in place to make sure you know what your state's record retention regulations are so you're not keeping things longer than you should be.

As always, we encourage you to seek legal assistance with any questions you may have regarding GDPR and other government regulations, as these are only tips and tricks. There are many resources available to help you make sure that your team is prepared for the data privacy changes taking place.