As Washington DC nonprofit advisors, we try to help all of our clients nationwide keep up to date with changes in regulations throughout the nonprofit world. One such regulation is GDPR. This European regulation takes effect in May 2018 and will update data and privacy regulations throughout the European Union, the most sweeping changes since 1995.
Although you may be an American-based nonprofit organization, no one is exempt from GDPR. That’s because the rules apply not just to companies and organizations located within the EU but also to any business entity – for profit or not for profit – that interacts with EU citizens. In today’s global, internet-based world, that opens the door for anyone with a website to fall under GDPR’s requirements.
What, you may wonder, would happen if you just ignored it? After all, you’re not an EU citizen, and your organization is licensed and registered in the United States…well, the penalty for not adhering to GDPR is severe ranging from a warning to fines that could range in the six or seven figures.
GDPR looks confusing on the surface and it is indeed complex. Washington DC nonprofit advisors to the rescue! Let’s break it down into the important parts nonprofits need to know, understand, and act upon to comply.
Data Collection, Storage, and Privacy
Most of the GDPR regulations focus on personal data collection, privacy, and storage. Data breaches must be reported within a 72-hour window and people must give explicit consent to data collection. Data that falls under GDPR collection rules includes:
- Email addresses
- Social media posts
- Medical information
- Bank details
- IP address
As an organization that may interact with EU citizens, you are required to:
- Obtain consent that is “freely given, specific, informed, and unambiguous” prior to collection of personal information from a data subject
- Restrict data collection to specific, explicit, and legitimate purposes
- Limit data retention to requirements for business purposes
- Provide data processing transparency
- Maintain data security, confidentiality, and integrity
- Adhere to breach notification requirements
- Designate a Data Protection Officer
- Perform a data protection impact assessment
People whose data you have collected have the right to:
- Access their data
- Object to the use of their data
- Be forgotten (have their data erased)
- Rectify their data
- Receive their data and transmit it to another controller
Tips to Help Nonprofits Comply with GDPR
All nonprofit organizations should take GDPR seriously. Although you may not purposely target EU citizens in your marketing efforts, the regulations are so all-encompassing that it is better to be ‘safe rather than sorry’ and take care to adhere to GDPR as best as you can. It’s also just basic smart marketing and good best practices for data security, privacy and control.
You can take the following steps to help meet GDPR regulations:
- Identify all interactions and potential interactions with EU citizens. This may include website contacts, email signups, and Eu groups with whom you interact.
- Review all places where you collect data. This includes website data, analytics, and even plugins that may collect data from visitors on your website.
- Adjust and revise the terms and conditions on your website. Don’t have terms, conditions and privacy policies posted? Now’s the time to add them. Make the navigation to view them prominent and top or at most, second-level, so that anyone seeking them can find them easily.
- Review emergency plans and action plans to handle data breaches. Again, if you don’t have such plans in place, now is the time to create them. Data breaches aren’t a question of “if” but “when”; cybercriminals love to target nonprofits and view them as easy targets. Lock the barn door now before the proverbial horse escapes.
- Send a permission-reminder email to your email marketing list. This is a notification that you are updating permission and asking once again for explicit permission to send promotional materials to your contact list.
These are small, simple steps to take to comply with the spirit of GDPR. Even if you do not conduct business in the EU and have no intention of doing so, GDPR should be considered best practices for permission-based communications moving forward.
Beck & Company, Washington DC Nonprofit Advisor
Beck & Company are Washington DC nonprofit advisors and consultants. Since 1987, we have helped many nonprofits in the Washington D.C. area and along the Eastern seaboard with their accounting and financial management needs. We provide audit, tax, accounting, and consulting service that addresses all aspects of a small to mid-sized nonprofit organization’s business. Contact us or call 703-834-0776 x8001.