How GDPR affects non-profits
With the rate at which data and privacy breaches are happening in today’s world, regulations like the GDPR are a necessity.
Have you noticed how websites recently started asking for your consent to collect cookies whenever you are accessing them? Well, this is only but a tip of the iceberg of how the GDPR uses its power to influence the different privacy laws. While you might think that this will only apply to for-profit organizations, you will be surprised that non-profits need to comply with the GDPR too.
Ideally, the fact that you store donor and beneficiary data means that you need to protect their privacy. However, there is more to GDPR than just storing privacy data and using cookie consent statements on your website. In fact, the regulation will affect how your non-profit functions in the EU.
Read on to learn how the GDPR will affect your non-profit and how to stay compliant:
What Is GDPR?
At its core, the GDPR (General Data Protection Regulation) is a set of regulations meant to improve the overall data privacy for EU citizens. It requires businesses to not only secure the data of EU citizens but also do so with transparency taking center stage. This also applies to both non-EU businesses and non-profits.
As long as you collect the data of EU citizens- whether they are your employees, donors, or beneficiaries-you will need to comply. Noncompliance can both result in financial penalties as well as backlash from customers, donors, members, and beneficiaries of your organization.
What Non-Profits Need To Know?
Non-profits can easily be termed under data processors and data controllers, depending on how they interact with EU citizens’ data. As such, they are subject to compliance in a variety of ways, including:
- As a service provider to beneficiaries.
- As a campaigning or fundraising organization.
- As an employer in charge of processing the personal data of employees, trustees, and volunteers.
On that same note, individual fundraisers also ought to be educated on the intricacies of the GDPR as they too could be collecting data from supporters or acting as data controllers. As a non-profit, it is your responsibility to ensure that all the processes for collecting data by these individual fundraisers are also compliant with the regulation.
The Rights Involved In The GDPR
The GDPR works under eight principles. In a nutshell, you need to observe high data security and privacy standards as well as be transparent about how you handle data. The regulations offer the citizens the rights to:
- Be informed about the collection of their personal data and the intended purpose.
- Access their collected personal data and any supplementary information.
- Rectify any inaccuracies in the corrected data or complete any incomplete data.
- Erasure of their personal data.
- Restrict data processing. Under this right, a company can still store personal data, but they can’t use it.
- Object to processing on the basis of direct marketing, legitimate interests, and for purposes of research.
- Data portability. Individuals can securely and safely obtain and reuse any collected data under this right.
- Automated decision making and profiling.
How To Be Compliant
Under the GDPR, consent ought to be active and freely given, meaning that pre-select opt-in boxes will not do the trick. People need to do an action to show consent, such as checking an opt-in box or opting into a permission pass campaign for your mailing lists.
It will also pay to use a central data management system, like a customer relationship management (CRM) tool, to keep track of beneficiary or donor data. Remember, they have a right to revoke the use of their data or request its erasure. Having such a system will streamline this.
Also, only store user data for as long as necessary and use it for only the original intended purpose. Lastly, keep tabs on any changes in the GDPR to ensure that you remain compliant.
Report Any Data Breaches
In case of a data breach, your non-profit can easily have its reputation damaged, not to mention the cost of dealing with the data breach. Under the GDPR, you need to report data breaches to the Information Commissioner’s Office within 72 hours of identifying the data breach. If you take longer than this time to report a breach, you should have a solid excuse for doing so.
For data breaches that are high risk, it is also necessary to notify the affected individuals. A data breach can be described as:
- Any unauthorized access to data
- The loss of devices that contained sensitive data
- The deliberate or unintentional action towards the data by a controller
- Sending data to the wrong recipient
- The alteration of personal data without consent
With the rate at which data and privacy breaches are happening in today’s world, regulations like the GDPR are a necessity. On the flip side, remaining compliant will not only improve your non-profit’s reputation but also reduce the cost of running it. GDPR requirements in a business might be different, however. Focus on GDPR compliance to protect the privacy of stakeholder data.
- It’s only day one of the GDPR and Google and Facebook have been hit with $8.8 billion in lawsuits
- EU’s GDPR will impact companies inside and outside the Union
- Protecting customers by protecting your business
- Facebook joins the list of companies listening to your private messages