STAUPELL ANALYTICS GROUP - ANALYTICS EXPERTS FOR NONPROFITS, IMPROVING FUNDRAISING
  • Home
  • About
    • Staupell Team
    • Testimonials
    • Partnerships >
      • Prospect Research Institute
      • Lityx
      • TouchPoints
      • Gravyty
  • Services
    • Fundraising Analytics
    • Prospect Development
    • Business Intelligence
    • Database Administration
    • Fundraising Optimization Solution
  • Training
    • Analytics Machine Learning Artificial Intelligence
    • Business Intelligence Visualization Reporting
    • Prospect Research and Management
    • Webinars
    • Classes >
      • Beginner Analytics Using R
      • Analytics Classes
      • Skill Builder Series
    • Workbooks
  • Blog
  • Events
    • Water Cooler Chats
    • Video Replays
  • Contact
  • Product

Driven by Data Blog

​Lands of Confusion? Data Protection Law Changes in the EU and the UK, Part 2

5/21/2019

0 Comments

 
Picture
By Greg Duke

​Nearly a year ago, many nonprofit organizations in the United States were scrambling to meet the GDPR (General Data Protection Regulation) implementation deadline of May 25, 2018. Last spring, when I spoke with several advancement services and prospect research professionals in the US, there was a great deal of confusion about what GDPR would mean to their fundraising activities across the Atlantic. The great hope was that, in due time, a lot of this confusion would be resolved by further instructions from the European Union, which would clarify the rules fundraising institutions have to follow. Unfortunately, during this time, little has been decided about the future of data protection regulations and what those regulations mean with regards to fundraising institutions in the US.  ​

However, I want to stress that we should not mistake silence for leniency when it comes to the GDPR. We may not have heard much about data protection with respect to the European Union since last year, but GDPR remains very real and very important for your nonprofit organization.
 
Before I continue, I’d like to review the description I made last year of what GDPR is, and what it is intended to do. GDPR is a European Union regulation which requires EU member nations and any businesses or organizations, whether inside or outside the EU, to preserve the digital rights of EU citizens and residents. GDPR requires nations, businesses, and organizations to “process” the data of EU citizens and residents only when there is a “lawful basis” to do so. For most nonprofits, the only lawful basis for data processing requires that the EU resident opt in by providing an affirmative consent. In other words, if a nonprofit—even one located in the United States or another non-EU country—wants to continue to use or even hold data on an EU citizen or resident, the nonprofit must obtain an affirmative assent from that citizen or resident, or potentially face consequences.
 
Last year, I ended that paragraph with the phrase “up to and including a heavy fine.”  The text of the GDPR regulations allow for a maximum fine of €20 million or 4% of an organization’s worldwide revenues--whichever is higher--for a breach of data protection rules. Indeed, in September 2018 EU prosecutors announced they were seeking a fine of up to €1.5 billion from Facebook following a breach of sensitive account data. The willingness of the EU to seek massive fines for GDPR breaches might at first seem troubling to nonprofit administrators who might fear a hefty penalty over an accidental breach.
 
Since the 2018 deadline, however, the EU may have slightly softened its stance on fines for nonprofits. The EU has clarified that fines are the last resort in a “process” of punishment for data breaches, and the numbers support that clarification: of the 59,000 reported breaches of GDPR in the first eight months after May 2018, only 91 resulted in fines, and none of these fines are known to have been paid by nonprofit organizations. Although the details of many of the fines have not been disclosed, it appears that the larger the size of the breach, the larger the fine. For example, as of February 2019, the largest fine levied to date was €50 million to Google for passing personal data to advertisers—but the majority of fines were much, much less, including a €4,800 fine to a city in Austria owing to (and I simply have to quote this in full) “the operation of an unlawful CCTV system that was deemed excessive for its partial surveillance of a sidewalk.” Thus the chances of your nonprofit being fined millions of euros for breaching the personal data of (say) a few dozen alumni are pretty small. Bearing in mind that fines are considered the last resort of a GDPR arsenal of penalties including public naming of negligent organizations or being required to notify constituents of data breaches, the possibility of being fined even a few thousand euros is likely to be low.
 
This is not to say that data protection issues with regards to the European Union can simply be ignored, either. Obviously, being named and shamed for poor data practices by the EU is not an ideal situation.  And it remains to be seen whether in the future the European Union might make an example of a foreign nonprofit using slack data protection procedures. Most of all, your EU constituents are going to be aware of GDPR, having seen news and discussion about it.  
 
I would counsel all nonprofits which have constituents in the European Union to continue implementing the same procedures which were being discussed before May 2018*. In short: 
  • Make sure your organization asks your EU constituents for consent to use their personal data or to send solicitation letters. 
  • Establish strong data security procedures for your EU constituents’ personal data and train your staff on those procedures as well.  
  • Most of all, make sure that you are transparent with your EU constituents on how you are using their data, and if one or more of those constituents wishes to be removed from a mailing or e-mail list, make sure to comply.
 
I would like to make one last point about GDPR. For some time, GDPR observers have been counseling nonprofit organizations in the US not to worry about enacting differing policies for their EU and UK donors. They have noted that in 2018 the UK passed a Data Protection Act like that of the EU, thus ensuring that whatever the outcome of Brexit, the UK would have a similar law. I caution against assuming that the EU and the UK will treat future data protection breaches by nonprofits in the same way.

First, the UK Information Commissioner’s Office (UK ICO) already has a track record in fining nonprofits under the previous 2002 Data Protection Act law.  Second, the UK ICO has followed a stricter line in its interpretation of GDPR. In April, the UK ICO suggested that various common social media practices, such as allowing users to “like” or otherwise publicly react to posts made by children under 18, might be in contradiction of GDPR; this interpretation is far beyond anything yet recommended by the EU GDPR committee.*  

It is very possible that the UK, whether it remains part of the European Union or not, will enact a stricter GDPR regime than the remainder of the EU. This possibility was always on the table for every constituent country of the EU, as GDPR is considered a regulation—which gives member countries considerable flexibility in their interpretation of the law—rather than a directive. Up until now, experts have counseled nonprofits to follow the strictest possible interpretation of GDPR—always require affirmative assent for addresses and emails, delete constituent data when that cannot be obtained, etc.  However, if the UK continues to enact stricter and stricter interpretations of GDPR, it could be possible that foreign nonprofits might be better off not dealing with UK constituents at all. It might be time to take a hard look at your UK constituents and consider if it makes financial sense to cease contact with them, at least until the ICO comes to some consensus on data protection. 
 
At Staupell Analytics Group, I help nonprofits with all types of database and data protection issues, including helping to keep nonprofit organizations stay current with international data protection laws. If you are interested in getting help with data protection, or if you simply are interested in knowing more about GDPR, feel free to contact me at greg@staupell.com.

*As always, we recommend that you check with your organization’s counsel for your specific situation.
0 Comments



Leave a Reply.

    Keep Informed
    Sign up for
    notifications when a
    new post comes out

    Sign Up Now


    Authors

    Marianne Pelletier has more than 30 years of experience in fundraising, with the majority in prospect research and prospecting.

    Greg Duke helps Raiser’s Edge clients to optimize their database by implementing data clean-up techniques and creating reporting structures, including dashboards and SQL queries.  He also facilitates data imports into Raiser’s Edge and database administration.

    Categories

    All
    Advancement Svcs
    Annual Giving
    Artificial Intelligence
    Assessment
    Big Data
    Blackbaud
    Branding
    Dashboards
    Databases
    Data Management
    Data Mining
    Data Prep
    Dependent Variables
    Donor Modeling
    Efficiency
    Engagement
    GDPR
    Giving Variables
    Linear Regression
    Machine Learning
    Major Gifts
    NFT
    Participation
    Productivity
    Project Planning
    Prospecting
    Prospect Research
    Push Technology
    Raiser's Edge
    RE NXT
    Reporting
    Research Pride
    RFM
    Statistics

    Archives

    March 2023
    February 2023
    January 2023
    December 2022
    October 2022
    September 2022
    August 2022
    July 2022
    June 2022
    May 2022
    April 2022
    March 2022
    February 2022
    January 2022
    March 2021
    September 2020
    June 2020
    May 2020
    March 2020
    February 2020
    July 2019
    May 2019
    March 2019
    December 2018
    September 2018
    May 2018
    March 2018
    September 2017
    June 2017
    March 2017
    January 2017
    December 2016
    September 2016
    June 2016
    April 2016
    March 2016
    February 2016
    January 2016
    December 2015

    View my profile on LinkedIn
Picture
© COPYRIGHT 2023 Staupell Analytics Group. ALL RIGHTS RESERVED.
  • Home
  • About
    • Staupell Team
    • Testimonials
    • Partnerships >
      • Prospect Research Institute
      • Lityx
      • TouchPoints
      • Gravyty
  • Services
    • Fundraising Analytics
    • Prospect Development
    • Business Intelligence
    • Database Administration
    • Fundraising Optimization Solution
  • Training
    • Analytics Machine Learning Artificial Intelligence
    • Business Intelligence Visualization Reporting
    • Prospect Research and Management
    • Webinars
    • Classes >
      • Beginner Analytics Using R
      • Analytics Classes
      • Skill Builder Series
    • Workbooks
  • Blog
  • Events
    • Water Cooler Chats
    • Video Replays
  • Contact
  • Product