The General Data Protection Regulation (GDPR), which will come into effect on May 25, 2018, replaces the current European Data Protection Directive (the Directive) and introduces sweeping changes to European data protection legislation, with very significant penalties for noncompliance. The law applies to the use of personal data by European organizations and, in many cases, non-European Union (EU)-based organizations. There is no exception for nonprofit organizations. Notably, even if your nonprofit does not have an office or employees in the EU, if you have donors, members, grantees, customers, or program service recipients in the EU or you otherwise provide goods or services to people in the EU, there is a good chance your organization will be affected by the GDPR.
The new law introduces sizable penalties for noncompliance—up to 4% of an organization's annual worldwide revenue or 20 million euros, whichever is higher. In addition, failure to comply with the new law can lead to adverse publicity, potentially leading to reputational damage and lost trust of donors, grantors, members, and others. Nonprofits should determine whether the GDPR applies to their operations and, if it does, what steps to take to come into compliance with the new law before the May 25, 2018 deadline.
Key Principles
Territorial Scope. The GDPR applies to organizations established in Europe that process the personal data of individuals in Europe and, in a shift from the Directive, to non-EU-based organizations that offer goods or services to individuals in Europe. This means that nonprofits with donors, grantors, or members in Europe may be subject to the new law.
Personal Data. Under the GDPR, the definition of "personal data" includes any information relating to an identified or identifiable natural person, such as an employee, donor, member, or grantor. An "identifiable natural person" is also one who can be identified, directly or indirectly, by reference to an identifier, including an IP address and device identifier. Sensitive personal data, and personal data belonging to children, are subject to heightened requirements.
"Lawful Basis." The GDPR provides that personal data must be processed lawfully, pursuant to one of the grounds provided in the GDPR—including, for example, with the individual's consent, to perform a contract, to comply with legal obligations, or if the processing is necessary for the legitimate interests of the organization. Where processing is based on consent, the individual's consent must be freely given, specific, informed, and unambiguous, requiring a statement or clear affirmative action, such as checking a box.
Data Transfers. Organizations may not transfer personal data outside of the EU unless an EU-approved mechanism is in place to legitimize the transfer. There are multiple mechanisms for facilitating these transfers, such as obtaining the unambiguous consent of the individual, the implementation of standard contract clauses, or certification by the EU-U.S. Privacy Shield (where applicable). We note that the Federal Trade Commission (FTC) does not have jurisdiction over many nonprofits, and, as a result, most nonprofits would not be eligible for participation in the Privacy Shield. However, the FTC has jurisdiction over nonprofit organizations that operate for the profit of their for-profit members, including by providing substantial economic benefits to those members. In these circumstances, nonprofits may wish to consider whether they are eligible to participate in the Privacy Shield.
Individual Rights. The GDPR also enshrines various individual rights, including, for example, the right for individuals to access their data, and in certain circumstances, the right to request that an organization correct or delete personal information held by the organization. Individuals also must be advised of their rights. Nonprofits should consider their processes and procedures for handling such requests and, if nothing is place, whether development work is required to process requests or if it's possible to process requests on an ad hoc basis.
Data Security. Personal data must be processed with appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage. If a security breach occurs, in certain circumstances organizations must notify supervisory authorities without undue delay and, where feasible, within 72 hours. In addition, in certain circumstances, data subjects also must be notified of the breach.
Accountability. The GDPR requires organizations to document their compliance with the GDPR. Accountability steps include recordkeeping obligations, the use of privacy impact assessments, and the appointment of a data protection officer or EU legal representative.
Impact on Nonprofits
Whether it involves donors, members, grantees, customers, or program service recipients in the EU, or otherwise providing goods or services to or collecting information from individuals in the EU, there is a high probability that your nonprofit will be covered by the GDPR with respect to personal data from or about these individuals. These days, immense volumes of personal information are collected by nonprofits to facilitate their goals and carry out their missions. Nonprofits should ensure that, if the GDPR applies, they are taking the new law seriously and expeditiously effectuating the steps needed to comply. Among other things, nonprofits should ensure that, in short order, a complete review is undertaken of personal data collection in the context of marketing and fundraising campaigns, program service delivery, member services, and all other relevant circumstances. The GDPR will come fully into effect on May 25, 2018, and there is no grace period for compliance. Nonprofits should act now to avoid the significant penalties that may be imposed by regulators for noncompliance.