Data protection regulations include U.S. nonprofits
Most U.S. nonprofits have paid little attention to the European Union’s (EU’s) General Data Protection Regulation (GDPR), which took effect May 25, 2018. The GDPR revises the standards for privacy rights, information security and compliance in the EU. But because the GDPR applies to all organizations — inside and outside the EU — that access or process data about persons in Europe, unsuspecting U.S. organizations could fall under these requirements.
The regulation’s requirements go far beyond any existing U.S. privacy standards. For example, they define “personal data” to include a wide range of personal identifiers, including name, address, Social Security or identification number, email addresses, location data and online identifiers such as cookies or IP addresses. With such a broad definition, odds are that your organization collects data subject to the rules.
Notably, the GDPR applies to companies outside the EU that process or hold the personal data of “data subjects” (defined as identifiable natural persons) who are physically in the EU. It doesn’t matter where the processing takes place or whether the subjects are EU residents.
The GDPR establishes strict requirements for how organizations must manage personal data. Among other topics, it includes provisions related to:
• Data security and data governance, including the mandatory appointment of a data protection officer in certain circumstances,
- Consent to processing,
- Mandatory breach notification within 72 hours of discovery,
- Access to personal data and data erasure (the right to be “forgotten”),
- Data portability, and
- Cross-border data transfers.
Again, the rules generally are more stringent than in the United States. For example, the GDPR requires notification to the appropriate EU authority within 72 hours after becoming aware of a data breach. U.S. states’ breach notification laws require notification “without unreasonable delay,” with the shortest timing at 30 days, while the Health Information Portability and Accountability Act (HIPAA) allows 60 days.
Rights of individuals
The most notable provisions for nonprofits address consent, disclosure and the right to be forgotten. The GDPR requires organizations to obtain consent from individuals to collect their personal data. You can’t just add new donors’ email addresses to your system or require them to opt out of communications.
Instead, consent requires an affirmative action by the individual, such as clicking on an “I agree” statement, and the personal data you already possess isn’t “grandfathered in.” You must obtain consent on that data or purge it completely from all your systems (including employees’ spreadsheets and Outlook contact lists).
You also must disclose to individuals the data you collect on them upon request, so you’ll need to keep close track of such information. And if an individual asks to be forgotten, you must delete all of his or her data or anonymize it, across all departments and, where applicable, with third-party vendors that have had access to the data.
Proceed with caution
A serious violation of the GDPR can bring a penalty as high as 20 million euros (about $23 million) or 4% of the violator’s annual revenue, whichever is higher. While questions remain about enforcement in the United States, it’s certain that few nonprofits could survive such a hit. You need to determine whether your organization’s practices abide by the rules and develop a compliance plan for employees, volunteers and third-party vendors.