. . . or worrying that you aren’t in compliance?
If so, you’re not alone. The GDPR — the European Union General Data Protection Regulation—went into effect on May 25, 2018, but if you’re still not sure what it is or whether it applies to you (or you haven’t yet implemented the required changes), now is the time to take action and avoid potential fines.
What is the GDPR?
The GDPR is a regulation that was enacted to harmonize data privacy laws across Europe and protect the data privacy of European Union (EU) and European Economic Area (EEA) citizens. It applies not only to EU organizations, however, but also to organizations located outside the EU that offer goods or services to Europeans.
How do we determine if our organization needs to comply?
Any US-based organization that processes or holds “personal data” of individuals who reside in the EU or EEA needs to comply with the GDPR, even if the organization does not have a business presence within the EU. “Personal data” includes any information relating to an individual, such as name, a personal identification number, location data, online identifiers (like IP address), health information, or information relating to an individual’s social identity. Personal Data does not include data from which an individual can no longer be identified, such as aggregate data.
The first step to determine whether your organization needs to comply with the GDPR is to ask: What, if any, personal data does our organization collect, process, store and/or share?
If you do collect, process, store or share personal data, next ask: Is our organization a “processor” or a “controller” of the data?
Controller versus Processor?
A controller owns the data and decides how it will be used. A processor manages and processes the data on behalf of the controller. If you are an organization that collects data in order to provide services such as newsletters or online forums or to register members for conferences, you are most likely a controller. Assuming so, you are responsible for assuring (1) that the personal data that you collect (or that is collected on your behalf) is gathered legally and is protected from misuse, and (2) that your contracts with the companies that do the data collecting or processing comply with the GDPR.
What is involved in assuring that personal data is collected legally and protected from misuse?
The general rule is that you must (1) get affirmative consent from individuals in an easy-to understand form before you collect their personal data, and (2) inform these individuals of their rights regarding any personal data that you collect. Their rights include the ability to:
- Obtain a copy of their personal data in an easily accessible format.
- Correct or update any of their personal data that is inaccurate.
- Restrict or limit the ways in which their personal data is used.
- Object to the processing of their personal data.
- Request the deletion of their personal data.
- Withdraw their consent to processing of their personal data.
- File a complaint regarding an organization’s privacy practices with their national data protection authority.
What should our next steps be?
The next steps you need to take depend on your specific data collection activities and needs. At minimum, however, you should:
- Review your organization’s data collection, sharing and retention policies and practices —particularly your website terms and conditions — to make sure they effectively notify data subjects, visitors and users of their rights.
- If you update your policies to comply with the GDPR, proactively notify data subjects, visitors and users of the updates and provide them a link to the new policies.
- Make sure that any offers you send to individuals, such as offers to sign up for newsletters or other services, ask them affirmatively to consent (“opt-in”) to your organization storing and using their personal data for such purposes.
- Contact any service providers who handle your data processing (for example, providers who register your members for conferences or process fees). Confirm that they understand their responsibilities under the GDPR, and verify that your service contacts with them clearly state those responsibilities.
It’s time to stop wondering and take action. None of this is easy, but it should be manageable if you get the support you need from IT and legal advisors.
Ellen Lubell provides guidance to nonprofit leaders on regulatory compliance, risk management, governance, fundraising, and best practices for preserving tax-exempt status.