Organisations that handle user data of any sort are required
to comply with ‘General Data Protection Regulation’ or the GDPR.
If your
nonprofit or charitable institution has even one constituent in the European
Union (EU), this regulation is something you need to be aware of and comply
with. This law has come into effect from 25th May 2018 and it protects
certain kinds of data inside the European Union and data that flow across EU
borders, including establishments in other countries that use personal data for
transactions involving services or goods within the EU.
The GDPR covers privacy as it relates to individuals resident
in the European Union, but companies and nonprofits everywhere in the world
must be in compliance. Even if your
organization is based in India, but, if you have any kind of constituent (an
alumna, donor, student, volunteer, past or current patient, donor) living in
the EU, then your organization must be in compliance.
Specifically, GDPR
defines personal data as:
- Names
- Addresses
- Social Security numbers
- Photos
- Email addresses
- Banking information
- Social media posts
- Medical information
- IP addresses
Charities and nonprofit organizations collect a lot of
personal data, such as the data that’s detailed in the list above. Nonprofits
and charitable organizations have the same obligation to abide by GDPR as any
other business or for-profit company.
The rules for GDPR require organisations to obtain consent
from individuals and to collect information without using forceful means. NPOs
cannot require individuals to give details that are unnecessary or unrelated to
the transaction or donation.
Nonprofits and charities must clearly communicate
their intentions and inform their prospects accurately.
Marketing efforts by
nonprofits and charities must plainly instruct their prospects on how to opt in
or out of communications.
What is GDPR?
GDPR is an omnibus regulation by which the European Union
(EU) intends to strengthen and unify data protection regime thereby enabling EU
citizens to have more control over their personal data.
It enshrines data protection and privacy rights for European
users, and holds establishments handling their data, wherever they may be,
liable for violations.
GDPR has introduced strict regulations and has included new
rights such as ‘right to be forgotten’, ‘right
to data portability’ etc.
This law will directly impact data controllers and data
processors.
Non-compliance will
lead to huge penalties, as high as 20 million Euros or 4% of annual global
revenues, whichever is greater.
The law
This EU law has come into force on May 25 2018 and decrees
that consumers or “data subjects”
have right to erasure of their data and a right to port their data from one
place to another.
It also places a premium on the consumer’s or data subject’s
consent to collection and processing of data.
Although the law is being introduced in the EU, its ramifications
extend the world over. This is because it is not focused on regulatory measures
for tech companies, but rather on the protection of EU citizens and their data.
Impact on India
Indian users of internet-based services or products may
continue to use online products and services the way they did. The EU law is not designed to protect citizens
outside the European Union.
However, Indian businesses (including non-profits) handling
EU user data, however, will have to take a deeper look at the way they collect
and use data or face massive fines.
Compliance
There are many ways for nonprofits and charities to prepare
for GDPR compliance.
To begin with, nonprofits need to be able to explain how
and why they process personal data. They must also be able to explain any data
that they share with third parties, and who the third parties are.
Nonprofits need to make sure they and their workers,
volunteers and representatives don’t contact supporters or donors after they’ve
withdrawn their consent or asked the nonprofit not to use their personal data.
Many charities and nonprofit organizations find that the best
way to refrain from contacting people on their “do not contact” list is to use
a Customer Relationship Management (CRM) system.
A CRM helps to keep lists
organized and will automatically remove individuals who’ve opted out or revoked
their consent. A CRM system works well for organizations that have multiple volunteers
working on marketing campaigns because the CRM updates the system in real time.
CAP's Advisory
If your NGO has ‘data subjects’ (e.g. those who receive your
e-newsletters, regular updates, reports or appeals for donations) in the
European Union, Article 4 and 7 of the GDPR require you (the NGO) to obtain
consent from your ‘data subject’ (recipient of information) to be included on your
mailing list.
Should the ‘data subject’ choose to withdraw, or not give
consent, you should provide an “Unsubscribe” option.
No comments:
Post a Comment