Four Steps to Better Understanding the GDPR
You may have heard mention of the General Data Protection Regulation (GDPR) which is designed to create clear, consistent data protection rules across the European Union. The regulation will go into effect on May 25, 2018 and apply to companies and nonprofits based in the EU as well as ones that process data from individuals in the EU. While the regulation builds on existing rules, this is the first significant change in decades.
It may sound intimidating, but data protection and respect of donors’ privacy should always be of the utmost importance. If you haven’t had a recent conversation about your organization’s protection and privacy policy, this regulation is the perfect reason to start.
Step 1: Check your database for constituents in the EU
Even if your organization works primarily in the United States or operates locally, you may be surprised to find donors or supporters in your database from the EU. We recommend taking the time to check.
Step 2: Educate yourself on the GDPR
The GDPR regulates how organizations store and use personal information. That includes names, email addresses, mailing addresses and other datapoints that fundraisers and marketers regularly use. While details of how this will be reviewed or enforced are forthcoming, noncompliance with the GDPR levies heavy fines (€20M or 4% of global annual revenue, whichever is higher).
Several helpful articles exist to explain the details of the GDPR and suggestions for compliance. Here are a few:
The UK Information Commissioner’s Office has published a 12-step guide to preparing for the GDPR. Blackbaud, Facebook, Hubspot, and other organizations have published articles on compliance. The Institute of Fundraising, the professional membership body for UK fundraising, has compiled several helpful guides, webinars, and even a survey for how charities are preparing.
For those scholars among us, the full GDPR is available to read online.
Step 3: Discuss the GDPR with leadership
If your CRM includes individuals in the EU and/or you regularly target EU citizens with your marketing, you may need to adjust your processes and take immediate action.
Even if this specific regulation doesn’t apply to your organization, it would still be worthwhile to start a conversation about data protection. Do you have an infrastructure in place to protect any data you store? Is your privacy policy up to date or does it need revisiting? These questions are worth asking.
Step 4: Consult an attorney
If you determine that your organization does need to take steps to comply with the GDPR, your leadership may decide to consult an attorney. As stated above, noncompliance levies heavy fines. This regulation should be take seriously, and an attorney should be able to make legal recommendations to ensure compliance.
Hopefully these four steps will offer a useful starting place for your organization. We’ll continue to watch developments in enforcement once the regulation goes into effect and look forward to the continued discussion.