The General Data Protection Regulation (GDPR) which will take effect on May 25 replaces the current European Data Protection Directive (the Directive). It introduces sweeping changes to European data protection legislation, with very significant penalties for noncompliance. The law applies to the use of personal data by European organizations and, in many cases, non-European Union (EU)-based organizations.
There is no exception for nonprofits. Even if your nonprofit does not have an office or employees in the EU, if you have donors, members, grantees, customers, or program service recipients in the EU or you otherwise provide goods or services to people in the EU, there is a good chance your organization will be affected by the GDPR.