Introduction
The biggest and most important change in data regulation in the past two decades went into effect on May 25, 2018—the General Data Protection Regulation (GDPR). The GDPR introduces significant changes to the way that the personal data of individuals who are in the European Union (EU) may be handled. The requirements for compliance vary widely, depending on the type and manner of how the personal data is being processed, and the penalties for noncompliance may be strict and substantial.
Although GDPR will not apply to all nonprofits, the new regulation will impact many. What follows is a brief exploration of key aspects of the GDPR and some preliminary considerations for nonprofits in the face of these changes. This guidance is general in nature, and nonprofit compliance obligations will vary, depending on a variety of factors.
To whom does GDPR apply?
Although GDPR concerns the personal data of individuals in the EU, it does not apply only to EU companies or organizations. This is because GDPR looks to protect the personal data of “data subjects,” that is, any natural persons who are “in” the EU. The scope of GDPR’s applicability is therefore extremely broad. The regulation allows such transfers of such personal data only between countries with “adequate” data protection laws. Thus, a nonprofit may only receive, send, or otherwise process personal data of an individual in the EU if it complies with the requirements of GDPR.
Because applicability of the GDPR is extremely broad, all entities, whether based in the EU or not, that collect or process personal data of data subjects are subject to GDPR’s requirements, regulation, and may be liable for noncompliance. Accordingly, GDPR applies to both organizations established in the EU which process the personal data of individuals in the EU, or non-EU-based organizations which offer goods or services to individuals in the EU.
What is “personal information”?
Under GDPR, one of the biggest changes from prior data protection laws is a significant expansion in scope of what constitutes “personal data.” Under the new law, personal data now includes any information relating to an identifiable person who can be directly or indirectly identified particularly by reference to an identifier, which may include names, identification numbers, location data, online identifiers (including email addresses, IP addresses, or device identifiers), other social identity markers.
Why should my nonprofit care about GDPR?
If your nonprofit has donors, directors, leaders, employees, grantors, newsletter or mailing list recipients, or members in the EU, your nonprofit may be subject to GDPR’s requirements. And if you are subject to GDPR, noncompliance with the regulation’s requirements may result in a fine of up to € 20 million, or 4% of annual global revenue, whichever is greater.
Thus, the regulation is not something nonprofits should quickly dismiss. On the other hand, compliance with GDPR need not be terribly onerous. In all cases, the cost of compliance must be weighed against the potential cost for noncompliance, and such penalties’ ability to hamper or otherwise adversely affect your nonprofit’s ability to operate.
What high-level aspects of this paradigm shift should my nonprofit remember?
The new regulation reflects fundamental differences in the way the EU thinks about data privacy from the ways in which data privacy is considered in the U.S. Similar to how Americans regard free speech as a fundamental right under the First Amendment, so individuals in the EU regard their rights to online privacy. GDPR’s massive shift demonstrates that the EU’s priorities for personal data protections are founded not only on such fundamental principles, but also how the costs of protecting that paradigm are to be allocated. GDPR’s requirements demonstrate that all personal information is found and used in increasingly interconnected and novel ways. Nonprofits should thus be on the forefront of understanding that paradigm shift.
Remember that the focus of this regulation is on the protection of individuals’ privacy, not on enabling your activities.
GDPR is not intended to make it easier for nonprofits to conduct activities in Europe. Rather, its purpose is to make sure that all activities, whether commercial or nonprofit, take place in accordance with certain minimum standards of use as concern the personal data of individuals in the EU. In other words, GDPR’s purposes are not intended to be charitable or educational—but rather regulatory in nature, for the purpose of enforcing and promulgating a particular cultural and technological vision.
Remember that digital information is stored and processed in nonobvious and non-intuitive ways.
Compliance with GDPR will require a nonprofit’s leadership to think deeply and critically about how personal data is actually processed. Digital information is stored, used, and transferred very differently from traditional physical files. Often, information pathways are hidden from view, and may not be intuitive for laypersons without a more intimate understanding of how personal data is handled online. The effect is compounded in the U.S. where the data privacy laws are significantly more lax, and various companies, advertisers, and website routinely use creative ways to use the same data in a multitude of non-intuitive ways for their own interests.
Remember that our world is much more interconnected and interdependent than ever before, even if your nonprofit’s focus is local.
Even if a nonprofit’s focus is completely local in the U.S., it may have a donor in the EU who also subscribes to an emailed newsletter. Consider the local church that sends or otherwise supports a foreign missionary in the EU, or the nonprofit operating a website that offers services but relies on a third-party vendor for processing information from EU-based users who have accounts with your organization. In each case, the organization may be subject to GDPR requirements even if the data of a single individual in the EU is implicated.
What next steps should my nonprofit consider?
Steps toward compliance with GDPR vary widely, and depend on a range of factors such as, type of data a nonprofit handles, the scope of its operations, its size, the number of third-party contracts, and a host of other considerations. Most nonprofits will need to implement at least some changes to be in legal compliance. Beyond the adoption of policy and operational changes, nonprofits should intentionally integrate the fundamental principles of GDPR into the nonprofit’s organizational DNA. In this way, all actions moving forward are measured against the data regulation requirements of GDPR. As a matter of fact, GDPR explicitly seeks to implement a culture of data protection by design and by default. What follows are some suggested initial next steps to consider.
Assess Current Practices
An organization should assess its current practices in handling personal data. This includes analyzing the storage, processing, and transfer “information pathways,” that is, how is information obtained, what happens with it after your nonprofit obtains it, and who actually handles the activity on that data. This evaluation will necessarily include evaluating the nonprofit’s website, contracts with third parties with an eye towards compliance, the structure of how data is stored, cybersecurity policies and practices, and data retention policies. A responsible board might consider adopting or evaluating Written Information Security Programs.
Update Privacy Notices
A fundamental principle at work within GDPR is the idea of informed consent when consent is needed. A nonprofit’s privacy notices must be conspicuous and compliant. The organization must provide sufficient description of the way in which the organization complies with GDPR’s data processing requirements and the reasons and manner of personal data usage. This may include adjusting the nonprofit’s online privacy policy. Or it may require more significant changes to opt-in procedures for cookies and email newsletters. It will almost certainly require new processes for handling user complaints and requests under GDPR.
Identify Lawful Basis for Data Processing
GDPR requires organizations to identify, explain, and publish their “lawful basis” for processing personal data. The significance of this requirement goes beyond compliance with GDPR’s accountability and informed consent provisions. It also affects the extent of certain rights which may be claimed by individuals (e.g., right to data erasure). Nonprofits should be prepared to explain their legitimate bases for collecting, storing and processing personal data.
Plan for Data Breaches and Appointment of Data Protection Officers
GDPR imposes other requirements on organizations, including notification deadlines in the event of a data breach, and a mandatory appointment of an organizational Data Protection Officer for certain entities. Organization’s should evaluate their data breach policies to maximize compliance and minimize unnecessary cost.
How does GDPR differ from Privacy Shield or prior data privacy regulations?
The EU-U.S. Privacy Shield is an agreement between the EU and the U.S. (not an EU statute) which imposes certain data privacy and protection requirements on certain eligible entities in order to allow them to transfer the personal data of individuals in the EU in spite of the EU’s determination that the U.S. does not have adequate data protection laws. Privacy Shield is a safe harbor for personal data transfers by U.S. based entities regulated by the Federal Trade Commission (FTC). Most nonprofits are not regulated by the FTC, and are thus not eligible for Privacy Shield. However, trade associations and other nonprofits engaged in activities that impact the commercial space may qualify to self-certify under Privacy Shield.
GDPR differs in that it is a statute which regulates the data transfer of all individuals in the EU with all countries. Although it concerns only the personal data of individuals in the EU, it has an effectively global reach because of the interconnectedness in our global economy. GDPR therefore has not only expanded the global expectations of individual data privacy, but also increased the burdens of compliance and the penalties for noncompliance.
How GDPR and Privacy Shield will intersect is not yet clear, and will likely be determined through the EU courts in the coming years. We will continue to keep watch for such developments.
What Questions Remain?
While GDPR is the most robust effort to safeguard personal privacy to-date, lingering questions remain concerning its implementation, despite its effective date on May 25th. For example, GDPR protects individuals’ rights to their data and privacy, which include several rights: the rights to be informed, right of access, the right to erasure or to be forgotten, and the right to data portability. Some rights have some obvious implications, like the right to informed consent. What is less obvious, though, is how informed consent is to be sought and obtained, how records are to be kept of such consent, and what constitutes “sufficiently informed consent.”
Furthermore, questions continue to swirl surrounding rights like the right to the erasure of personal data or the right to data portability. What needs to be deleted? How to locate the necessary data for deletion? What if there is an exception or restriction on the deletion request? How best to provide requested data? How much data to provide to users upon request? We look forward to monitoring GDPR's global implementation and reporting news of best practices and compliance as they become available.
Conclusion
In short, GDPR is a major change to the EU’s requirements in the handling of personal data of individuals in the EU. The regulation's broad definitions make it applicable to more organizations than ever before. Many nonprofits, including churches and other houses of worship, which had not needed to contemplate the implications of data privacy and protection, now need to seriously evaluate their liability and risk under the new regulation.