General Data Protection Regulation (GDPR)

Organisations that handle user data of any sort are required to comply with ‘General Data Protection Regulation’ or the GDPR. 

If your nonprofit or charitable institution has even one constituent in the European Union (EU), this regulation is something you need to be aware of and comply with. This law has come into effect from 25^th May 2018 and it protects certain kinds of data inside the European Union and data that flow across EU borders, including establishments in other countries that use personal data for transactions involving services or goods within the EU.

The GDPR covers privacy as it relates to individuals resident in the European Union, but companies and nonprofits everywhere in the world must be in compliance. Even if your organization is based in India, but, if you have any kind of constituent (an alumna, donor, student, volunteer, past or current patient, donor) living in the EU, then your organization must be in compliance.

Specifically, GDPR defines personal data as:

• Names
• Addresses
• Social Security numbers
• Photos
• Email addresses
• Banking information
• Social media posts
• Medical information
• IP addresses

Charities and nonprofit organizations collect a lot of personal data, such as the data that’s detailed in the list above. Nonprofits and charitable organizations have the same obligation to abide by GDPR as any other business or for-profit company.

The rules for GDPR require organisations to obtain consent from individuals and to collect information without using forceful means. NPOs cannot require individuals to give details that are unnecessary or unrelated to the transaction or donation. 

Nonprofits and charities must clearly communicate their intentions and inform their prospects accurately. 

Marketing efforts by nonprofits and charities must plainly instruct their prospects on how to opt in or out of communications.

What is GDPR?

GDPR is an omnibus regulation by which the European Union (EU) intends to strengthen and unify data protection regime thereby enabling EU citizens to have more control over their personal data.

It enshrines data protection and privacy rights for European users, and holds establishments handling their data, wherever they may be, liable for violations.

GDPR has introduced strict regulations and has included new rights such as ‘right to be forgotten’, ‘right to data portability’ etc.

This law will directly impact data controllers and data processors.

Non-compliance will lead to huge penalties, as high as 20 million Euros or 4% of annual global revenues, whichever is greater.

The law

This EU law has come into force on May 25 2018 and decrees that consumers or “data subjects” have right to erasure of their data and a right to port their data from one place to another.

It also places a premium on the consumer’s or data subject’s consent to collection and processing of data.

Although the law is being introduced in the EU, its ramifications extend the world over. This is because it is not focused on regulatory measures for tech companies, but rather on the protection of EU citizens and their data.

Impact on India

Indian users of internet-based services or products may continue to use online products and services the way they did. The EU law is not designed to protect citizens outside the European Union.

However, Indian businesses (including non-profits) handling EU user data, however, will have to take a deeper look at the way they collect and use data or face massive fines.

Compliance

There are many ways for nonprofits and charities to prepare for GDPR compliance. 

To begin with, nonprofits need to be able to explain how and why they process personal data. They must also be able to explain any data that they share with third parties, and who the third parties are.

Nonprofits need to make sure they and their workers, volunteers and representatives don’t contact supporters or donors after they’ve withdrawn their consent or asked the nonprofit not to use their personal data.

Many charities and nonprofit organizations find that the best way to refrain from contacting people on their “do not contact” list is to use a Customer Relationship Management (CRM) system. 

A CRM helps to keep lists organized and will automatically remove individuals who’ve opted out or revoked their consent. A CRM system works well for organizations that have multiple volunteers working on marketing campaigns because the CRM updates the system in real time.

CAP's Advisory

If your NGO has ‘data subjects’ (e.g. those who receive your e-newsletters, regular updates, reports or appeals for donations) in the European Union, Article 4 and 7 of the GDPR require you (the NGO) to obtain consent from your ‘data subject’ (recipient of information) to be included on your mailing list.

Should the ‘data subject’ choose to withdraw, or not give consent, you should provide an “Unsubscribe” option.