By Greg Duke
Nearly a year ago, many nonprofit organizations in the United States were scrambling to meet the GDPR (General Data Protection Regulation) implementation deadline of May 25, 2018. Last spring, when I spoke with several advancement services and prospect research professionals in the US, there was a great deal of confusion about what GDPR would mean to their fundraising activities across the Atlantic. The great hope was that, in due time, a lot of this confusion would be resolved by further instructions from the European Union, which would clarify the rules fundraising institutions have to follow. Unfortunately, during this time, little has been decided about the future of data protection regulations and what those regulations mean with regards to fundraising institutions in the US.
However, I want to stress that we should not mistake silence for leniency when it comes to the GDPR. We may not have heard much about data protection with respect to the European Union since last year, but GDPR remains very real and very important for your nonprofit organization.
Before I continue, I’d like to review the description I made last year of what GDPR is, and what it is intended to do. GDPR is a European Union regulation which requires EU member nations and any businesses or organizations, whether inside or outside the EU, to preserve the digital rights of EU citizens and residents. GDPR requires nations, businesses, and organizations to “process” the data of EU citizens and residents only when there is a “lawful basis” to do so. For most nonprofits, the only lawful basis for data processing requires that the EU resident opt in by providing an affirmative consent. In other words, if a nonprofit—even one located in the United States or another non-EU country—wants to continue to use or even hold data on an EU citizen or resident, the nonprofit must obtain an affirmative assent from that citizen or resident, or potentially face consequences.
Last year, I ended that paragraph with the phrase “up to and including a heavy fine.” The text of the GDPR regulations allow for a maximum fine of €20 million or 4% of an organization’s worldwide revenues--whichever is higher--for a breach of data protection rules. Indeed, in September 2018 EU prosecutors announced they were seeking a fine of up to €1.5 billion from Facebook following a breach of sensitive account data. The willingness of the EU to seek massive fines for GDPR breaches might at first seem troubling to nonprofit administrators who might fear a hefty penalty over an accidental breach.
Since the 2018 deadline, however, the EU may have slightly softened its stance on fines for nonprofits. The EU has clarified that fines are the last resort in a “process” of punishment for data breaches, and the numbers support that clarification: of the 59,000 reported breaches of GDPR in the first eight months after May 2018, only 91 resulted in fines, and none of these fines are known to have been paid by nonprofit organizations. Although the details of many of the fines have not been disclosed, it appears that the larger the size of the breach, the larger the fine. For example, as of February 2019, the largest fine levied to date was €50 million to Google for passing personal data to advertisers—but the majority of fines were much, much less, including a €4,800 fine to a city in Austria owing to (and I simply have to quote this in full) “the operation of an unlawful CCTV system that was deemed excessive for its partial surveillance of a sidewalk.” Thus the chances of your nonprofit being fined millions of euros for breaching the personal data of (say) a few dozen alumni are pretty small. Bearing in mind that fines are considered the last resort of a GDPR arsenal of penalties including public naming of negligent organizations or being required to notify constituents of data breaches, the possibility of being fined even a few thousand euros is likely to be low.
This is not to say that data protection issues with regards to the European Union can simply be ignored, either. Obviously, being named and shamed for poor data practices by the EU is not an ideal situation. And it remains to be seen whether in the future the European Union might make an example of a foreign nonprofit using slack data protection procedures. Most of all, your EU constituents are going to be aware of GDPR, having seen news and discussion about it.
I would counsel all nonprofits which have constituents in the European Union to continue implementing the same procedures which were being discussed before May 2018*. In short:
I would like to make one last point about GDPR. For some time, GDPR observers have been counseling nonprofit organizations in the US not to worry about enacting differing policies for their EU and UK donors. They have noted that in 2018 the UK passed a Data Protection Act like that of the EU, thus ensuring that whatever the outcome of Brexit, the UK would have a similar law. I caution against assuming that the EU and the UK will treat future data protection breaches by nonprofits in the same way.
First, the UK Information Commissioner’s Office (UK ICO) already has a track record in fining nonprofits under the previous 2002 Data Protection Act law. Second, the UK ICO has followed a stricter line in its interpretation of GDPR. In April, the UK ICO suggested that various common social media practices, such as allowing users to “like” or otherwise publicly react to posts made by children under 18, might be in contradiction of GDPR; this interpretation is far beyond anything yet recommended by the EU GDPR committee.*
It is very possible that the UK, whether it remains part of the European Union or not, will enact a stricter GDPR regime than the remainder of the EU. This possibility was always on the table for every constituent country of the EU, as GDPR is considered a regulation—which gives member countries considerable flexibility in their interpretation of the law—rather than a directive. Up until now, experts have counseled nonprofits to follow the strictest possible interpretation of GDPR—always require affirmative assent for addresses and emails, delete constituent data when that cannot be obtained, etc. However, if the UK continues to enact stricter and stricter interpretations of GDPR, it could be possible that foreign nonprofits might be better off not dealing with UK constituents at all. It might be time to take a hard look at your UK constituents and consider if it makes financial sense to cease contact with them, at least until the ICO comes to some consensus on data protection.
At Staupell Analytics Group, I help nonprofits with all types of database and data protection issues, including helping to keep nonprofit organizations stay current with international data protection laws. If you are interested in getting help with data protection, or if you simply are interested in knowing more about GDPR, feel free to contact me at firstname.lastname@example.org.
*As always, we recommend that you check with your organization’s counsel for your specific situation.