By - Greg Duke
Many of you in the nonprofit world have heard about GDPR (the General Data Protection Regulation) and its consequences for the protection of data for individuals in the European Union and the United Kingdom. There have been a lot of rumors and stories involving the consequences for American nonprofits which fail to protect their European-based alumni or donor constituents.
In this article, I will demystify GDPR and help point American database managers and others involved in the maintenance of data in the right direction to follow European and UK law.
GDPR is a European Union regulation which requires EU member nations and any businesses or organizations to preserve the digital rights of EU citizens and residents. In a nutshell, GDPR requires nations, businesses, and organizations to “process” the data of EU citizens and residents only when there is a “lawful basis” to do so. For most nonprofit organizations, the only lawful basis for data processing requires the EU subject to opt in by providing an affirmative consent. In other words, if a nonprofit—even one located in the United States or another non-EU country—wants to continue to use or even hold data on an EU citizen or resident, the nonprofit must obtain an affirmative assent from that citizen or resident, or potentially face consequences up to and including a heavy fine.
It is clear that the rules laid down by GDPR are very different from data policies commonly practiced in the United States. The GDPR grants EU citizens and residents both the right to dictate the use of his or her personal data and the “right to be forgotten.” From a practical standpoint, these rights give EU citizens and residents not only the right to forbid companies and organizations to use their data to make profits or raise money, but also the right to forbid the same companies and organizations to hold their data at all. A strict interpretation of GDPR suggests that unless an EU citizen or resident gives his or her express permission to use personal data—including age, phone number, address, and other biographical data—an organization, even one based outside of the EU, cannot hold that person’s data. In a word, that person must be “forgotten” by the organization.
I have been following GDPR and its potential effects on American nonprofits with great interest. In 2000, I was employed by St. Edmund Hall at Oxford University when the United Kingdom passed its own regulations on data protection in response to European Union directives. Those regulations—the Data Protection Acts of 1998 and 2002—have recently come back into the news, as they were cited by the UK Information Commissioner’s Office in the fining of two nonprofits who were judged to have mishandled their donors’ personal data. As the database manager at St. Edmund Hall, I drafted the college’s response to the Data Protection Acts and outlined a structure by which the college could comply with the Acts’ regulations. This structure was adopted by St. Edmund Hall and is still in use today.
In my experience with data protection regulations in the European Union and the United Kingdom, the text of the law may seem chilling, and the potential fines may seem dire, but compliance with the law can be achieved through careful diligence. I would urge all American nonprofits who have at least one alumnus or donor or even a database constituent who lives in the European Union (and in my experience that is nearly every American nonprofit) to familiarize themselves with the General Data Protection Regulation. The Wikipedia page on GDPR is actually a good start, as it provides a relatively concise description of the Regulation without recourse to political bias or further myth-making. The Wikipedia page also provides links to the GDPR documentation itself, and to the European Data Protection page which answers some basic questions about the regulation.
I would also urge American nonprofits to reach out to their European and British constituents as soon as possible to offer these constituents an opportunity to provide affirmative consent to allow their data to be continued to be held and used in fundraising operations. From my reading of GDPR, this affirmative consent may be obtained either by mail or digitally either online or by email (I would recommend against consent by phone as the GDPR prefers written consent of the constituent). I would also recommend that American nonprofit data managers put into place a policy on how to remove data from their database and other electronic systems for constituents who either actively refuse to provide affirmative consent, or who fail to provide any form of consent.
There are still many questions to be answered about GDPR and its affects on American nonprofits. Namely, there are questions about how the GDPR’s “right to be forgotten” might clash with US regulations on student data and/or IRS regulations on keeping information on giving data. At Staupell, we will be monitoring these issues and I will be writing updates to this blog post as needed.
I am happy to give advice on any and all issues relating to GDPR and how American nonprofits can prepare for its consequences. I can be reached at firstname.lastname@example.org.
View Image Copyright: here