GDPR stands for General Data Protection Regulation. The GDPR is a law on data protection and privacy for all individual citizens of the European Union and the European Economic Area, which went into effect on May 25, 2018. GDPR Compliance protects the online privacy of citizens of the European Union without regard for where the organization or business holding the data resides. Therefore, nonprofits in the US and Canada may need to comply with GDPR, since EU citizens may interact with foreign nonprofits online.
GDPR compliance for nonprofits is about creating transparency and organizing data. Let’s jump right to what pertains to nonprofits. If your nonprofit processes the personal data of EU citizens, there are some guidelines for you to adopt. First things first, we’ll define what data is involved.
Personal Data in GDPR Compliance – What Nonprofits Need to Know
The personal data of donors, volunteers, trustees, and beneficiaries are included in GDPR compliance. More specifically, the data GDPR compliance refers to is all personal data such as an individual’s name, email, identification numbers (ie social security number), and data pertaining to financial information.
Here are some specific ways personal data may be used by nonprofits online:
- Peer-to-peer personal fundraising pages of a crowdfunding event
- Donors who give on your nonprofit website
- Donors who donate on event and campaign fundraising websites
- Volunteers who add their personal data to your nonprofit and event websites
- The personal data of beneficiaries added by your donors
- Personal data of employees
- Social media posts that collect data
- Newsletter sign up forms
- Vendors, sponsors, and corporate sponsors
- Virtual volunteers – employees and employers
- Program inquiries and requests for marketing materials online
GDPR Non-Compliance – What Nonprofits Need to Know
Why does your organization need to comply to GDPR Compliance standards? Your organization works hard to keep a positive public perception. An important aspect of a nonprofit’s reputation is making your constituents feel secure, being transparent, and earning their trust.
There are a couple of factors to consider for non-compliance:
- If your organization is found to be non-compliant, there is a possibility of a fine of up to four percent of an organization’s global revenue for non-compliance. That’s a pretty steep fine.
- Another factor to consider is the perception of your constituents. Your organization may experience a loss of support from partners, donors, and members if your organization is deemed to be non-secure or non-compliant.
What Steps Can Your Nonprofit Take to Comply with GDPR?
These 10 tips are a starting point for GDPR Compliance:
- Give all your employees training on the regulations. Anyone involved in data management, websites, fundraising and talking and writing to constituents need to know how to handle data and respond to inquiries.
- Assign roles as to who will be responsible for data protection. Create a team of database and CRM managers.
- Support your IT staff and get them working in liaison with marketing and fundraising teams.
- Be transparent in your website privacy language regarding GDPR compliance. Ensure that visitors can understand what data you’re collecting and how it’ll be used.
- Clearly inform your constituents how their data can be removed from your nonprofit website, CRM, fundraising websites, newsletter and email lists.
- EU residents have a right to request their consent be removed; create a system for doing so. This can get a little tricky since their data must be removed from all of your data systems. A nonprofit CRM has the power to keep your lists organized and make it easier for you to remove all data from an individual.
- Track all consent forms within your CRM. Track what individuals consented to and how their data would be used. Keep a record of revoked content requests. Lists within your CRM is a great way to manage this.
- Keep the personal data of EU residents only for as long as necessary, and solely for the reason it was collected.
- Stay informed of GDPR compliance laws. As they change, you’ll be ready to update your systematic approach.
- Review compliance laws and strategies with your legal team. Our tips are intended to be helpful in getting you started on the road to GDPR compliance. Yet it is important to take further steps in consulting your legal team.
How a Nonprofit CRM Helps Ensure Compliance
A Constituent Relationship Management (CRM) database can be geared to track and organize GDPR compliance efforts. CRMs are now more affordable and easy to use with new nonprofit CRM technology leading the way. Fundraising websites, donor management CRMs and nonprofit websites can be housed under one roof. In this way, they talk to each other and share your constituent information. Finding data should you need to remove it for an EU resident will be easy.
CRMs save the time of nonprofit staff members in GDPR compliance. Your staff are able to track and assist donors, volunteers and event participants. They are able to analyze how things are working and continually look at ways to improve by reviewing CRM lists.
Transparency on your websites is a key element, as is having a CRM to easily access and compile data on EU contacts. CRMs do much of the work for you so you can get back to fundraising and changing the world one step at a time. Give all of your staff members awareness of GDPR compliance – what your nonprofit needs to know.
Please note: This blog post is for informational purposes only. We cannot provide legal advice on this subject. Please consult with your legal counsel to determine how GDPR may impact your organization.