GDPR stands for General Data Protection Regulation. The GDPR is a law on data protection and privacy for all individual citizens of the European Union and the European Economic Area, which went into effect on May 25, 2018. GDPR Compliance protects the online privacy of citizens of the European Union without regard for where the organization or business holding the data resides. Therefore, nonprofits and charities in the US and Canada may need to comply with GDPR, since EU citizens may interact with foreign nonprofits online.
GDPR compliance for nonprofits is about creating transparency and organizing data. Transparency on your websites is a key element, as is using a CRM to easily access and compile data on EU supporters. Compliant CRMs do much of the work for you so you can get back to fundraising and changing the world one step at a time.
Let’s jump right to what pertains to nonprofits. If your nonprofit processes the personal data of EU citizens, there are some guidelines for you to adopt. First things first, we’ll define what data is involved.
Personal Data in GDPR Compliance – What Nonprofits Need to Know
The data GDPR compliance refers to is all personal data such as an individual’s name, email, identification numbers (ie social security number), and data pertaining to financial information. The personal data of donors, volunteers, trustees, and beneficiaries are included in GDPR compliance.
Here are some specific ways personal data may be used by nonprofits online:
- Peer-to-peer personal fundraising pages of a crowdfunding event
- Donors who give on your nonprofit website
- Donors who donate on event and campaign fundraising websites
- Volunteers who add their personal data to your nonprofit and event websites
- The personal data of beneficiaries added by your donors
- Personal data of employees
- Social media posts that collect data
- Newsletter sign up forms
- Vendors, sponsors, and corporate sponsors
- Virtual volunteers – employees and employers
- Program inquiries and requests for marketing materials online
GDPR Non-Compliance – What Nonprofits Need to Know
Why does your organization need to comply with GDPR Compliance standards? Your organization works hard to keep a positive public perception. An important aspect of a nonprofit’s reputation is making your constituents feel secure, being transparent, and earning their trust.
There are a couple of factors to consider for non-compliance:
- If your organization is found to be non-compliant, there is a possibility of a fine of up to four percent of an organization’s global revenue for non-compliance. That’s a pretty steep fine.
- Another factor to consider is the perception of your constituents. Your organization may experience a loss of support from partners, donors, and members if your organization is deemed to be non-secure or non-compliant.
What Steps Can Your Nonprofit Take to Comply with GDPR?
Meeting and maintaining GDPR compliance standards may represent a big change for your charity. These 10 tips are a starting point for becoming GDPR compliant:
- Give all your employees training on the regulations. Anyone involved in data management, websites, fundraising, and talking and writing to constituents needs to know how to handle data and respond to inquiries.
- Assign roles as to who will be responsible for data protection. Create a team of database and CRM managers.
- Support your IT staff and get them working in liaison with marketing and fundraising teams.
- Be transparent in your website privacy language regarding GDPR compliance. Ensure that visitors can understand what data you’re collecting and how it’ll be used.
- Clearly inform your constituents how their data can be removed from your nonprofit website, CRM, fundraising websites, newsletter and email lists.
- EU residents have a right to request their consent be removed; create a system for doing so. This can get a little tricky since their data must be removed from all of your data systems. A nonprofit CRM has the power to keep your lists organized and make it easier for you to remove all data from an individual.
- Track all consent forms within your CRM. Track what individuals consented to and how their data would be used. Keep a record of revoked content requests. Lists within your CRM is a great way to manage this.
- Keep the personal data of EU residents only for as long as necessary, and solely for the reason it was collected.
- Stay informed of GDPR compliance laws. As they change, you’ll be ready to update your systematic approach.
- Review compliance laws and strategies with your legal team. Our tips are intended to be helpful in getting you started on the road to GDPR compliance. Yet it is important to take further steps in consulting your legal team.
How DoJiggy Helps Organizations Ensure GDPR Compliance
Wherever personal information is transferred, stored, or processed by us, we take steps to safeguard the privacy of your donors’ information. DoJiggy’s online and virtual fundraising platform was designed to be GDPR compliant. We can even allow users to download their account data or delete their accounts entirely. Users can do this themselves from their “My Account” page while logged in. Please note that our .com platform is being phased out and is not GDPR compliant.
This blog post is for informational purposes only. We cannot provide legal advice on this subject. Please consult with your legal counsel to determine how GDPR may impact your organization.