NOTE: This blog was originally posted on Forbes. Read it here.
It has been on the top of news feeds for the last year, and now the General Data Protection Regulation (GDPR) is finally going into full effect today, but what does this mean for your nonprofit or U.S.-based organization?
I’d like to address the common misconception that this law only applies to, and is enforced on, for-profit and European Union based companies.
Is My U.S.-Based Nonprofit Affected By The GDPR?
The GDPR applies to any organization that collects the data of EU residents, irrespective of whether payment is required. As soon as personal data of an EU resident is collected, it triggers the GDPR — and the associated fines for non-compliance regardless of a company’s location.
What nonprofit organizations need to know is how personal information is defined. In the U.S., we refer to personally identifiable information (PII) as any data that can deanonymize an individual (commonly including social security number, name, mother’s maiden name, biometric record or date and place of birth). Broadening the scope, the GDPR defines personal data as “any information relating to an identified or identifiable natural person.”
Under that definition, many nonprofit organizations collect a lot of personal data such as names, addresses, emails and social media posts. This data could be collected from donors, constituents, volunteers, vendors or even those who are only interested in following what your organization does. It does not need to be related to any financial information or even related directly to the services your organization provides. For example, if an EU resident signed up for your newsletter because they were interested in your research, cause or programs and you send them marketing material, then the GDPR applies to you.
My point is that even if your organization is based in the U.S. and only serves or fundraises from individuals in the U.S., the GDPR may apply to you. Should you not comply with the regulations, your organization could be fined millions. Your executives and information technology (IT) team should take this new legislation seriously, and make sure others who are involved in the use and storage of personal data are familiar with the regulations.
Here are my top nine best practice tips for how your nonprofit can help mitigate some of the risks associated with the GDPR:
- Create awareness across the organization. Make sure you and your employees are aware of the regulations and identify who will be responsible for data protection. It is important to make sure that your IT department strengthens the collaboration with your fundraising and marketing departments to help ensure your data retention and privacy policies are GDPR compliant.
- Update your website privacy policy to make sure that your site visitors can understand what data you are collecting about them, how it may be used, and how they can be removed or “forgotten.”
- Implement a customer relationship management (CRM) application. The biggest challenge GDPR poses to organizations is the right to be forgotten. Once data is collected from an EU resident, they have a right to revoke their consent at any point. This means all the individual’s data must be removed from every system within the organization. Unless all your systems are integrated, this could become tricky. A CRM system can help you create a center of excellence that will keep your lists organized and make it easier for you to remove an individual who has revoked their consent.
- Keep your consent requests separate from other terms and conditions.
- Review the way you obtain consent. Under the GDPR your consent should also be active and freely given, meaning individuals must take an action to give consent (like checking an opt-in box). For EU residents, you may no longer preselect the opt-in box on a form and consider that consent.
- Make sure you keep track of who has consented, when and how. This includes what the individual was told at the time of consent (how their data would be used) and any record of revoked consent.
- Run a permission pass campaign. This is a one-time email that should be sent to anyone on your mailing list that doesn’t have a confirmed opt-in status in your system. This will help confirm that the individuals still want to be on your list. This is also a good opportunity to assess your contacts’ engagement and target only those who want to receive communications from you. You should see an immediate spike in your open rate after the opt-in process.
- Only keep the personal data of EU residents for as long as necessary, only for the reason it was collected.
- Stay abreast of all changing legislation and implement a process to constantly evaluate your compliance efforts.