Nonprofits Can’t Afford to Ignore GDPR

On May 25, 2018, the General Data Protection Regulation (GDPR)—the most sweeping change to data privacy in twenty-plus years, with extra-territorial scope—goes into effect. GDPR is designed to protect personal data, or any information related to an individual that can be used directly or indirectly to make identification. U.S. organizations that process, control, view, or store European Union (EU) personal data will need to meet the regulation’s new requirements. While there are varying interpretations, EU personal data applies at minimum to EU citizens and in the broadest interpretation, includes anyone who resides in the EU.
Nonprofits can’t afford to assume GPDR doesn’t apply to them. The stakes for noncompliance are high—penalties can be as high as 4 percent of annual global revenues—and the reality is that the regulation will impact many organizations. In addition to nonprofits with a physical presence in the EU, nonprofits with EU-based employees, donors, grantees, or service recipients are likely required to comply as well.
If you’re unsure whether your nonprofit is subject to GDPR, start by considering the following questions:

  • Does your organization offer goods or services to citizens in the EU, even if they are free?

  • Does your organization collect, process, view, or store EU personal data?

  • Does your nonprofit receive contributions from EU organizations or individuals?

  • Does your organization offer goods or services to children under the age of 16 in the EU?

If your organization falls into any of the above categories, use this checklist as a starting point to gauge your GDPR readiness and prioritize next steps ahead of the deadline.

Don't forget to follow us on Twitter @BDONonprofit.