GDPR, Data Protection, and Nonprofits
Nonprofits hold a wealth of personal and financial data. Hackers are increasingly targeting this lucrative nonprofit data with phishing scams and insidious malware. One in four UK charities has reported a cybersecurity breach or attack in the past 12 months. The subsequent high-profile data breaches have put nonprofits under the scanner of regulatory laws such as the General Data Protection Regulation (GDPR) and the US equivalent of the California Consumer Privacy Act (CCPA). GDPR has fined nonprofits for unlawful marketing practices and for wrongfully disclosing data to unauthorized parties. Apart from regulatory laws, data privacy is a key differentiator for customers and benefactors alike.
Here we list the major GDPR principles that apply to nonprofits and discuss ways to protect data from breaches and data loss:
- The Impact of GDPR on Nonprofits
- Key GDPR Articles That Impact Nonprofits, NGOs, and Charities
- GDPR Compliance Pointers for Nonprofits
- Advantages of GDPR Compliance for Nonprofits
The Impact of GDPR on Nonprofits, NGOs, and Charities
To understand the impact of GDPR on nonprofit organizations, we first need to understand why GDPR applies to nonprofits and examine key GDPR articles that affect nonprofits.
Why does GDPR Impact Nonprofits, NGOs, and Charities?
Why does GDPR impact me as a nonprofit? GDPR which took effect on 25th May 2018, governs the processing of personal data. If your nonprofit offers goods or services to European Union (EU) consumers or businesses or collects personal information from EU citizens, the GDPR applies to you. This can include any donations you receive from citizens in the EU or if your members belong to the EU. If your nonprofit organization fits this criterion, you must comply with GDPR or be subject to significant fines. Infringement of the basic principles for processing personal data are subject to high fines of up to £10 million, or 2-4% of your total worldwide annual turnover, whichever is higher.
GDPR’s influence includes both:
Data Controllers (you): The entity that determines the purposes, conditions, and means of the processing of personal data.
Data processor (your vendors): The entity that processes data on behalf of the Data Controller.
You are thus responsible for the personal data you hold as well as share in the responsibility of your vendor’s handling of the personal data.
Key GDPR Articles That Impact Nonprofits, NGOs, and Charities
An overview of some major GDPR articles:
- Article 5: Article 5 lays out seven key principles relating to the processing of personal data.
- Process Data lawfully, fairly and in a transparent manner: “processed lawfully, fairly and in a transparent manner in relation to individuals”.
- Strictly limit data processing to the initial purpose: “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
- Process data only when absolutely required: Minimal adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Maintain accuracy of personal data: “accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.”
- Store data only for the duration required: “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.”
- Protect data against breaches and losses: “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
- The onus of compliance rests with you: “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph.”
- Articles 6 and 7: These articles mandate that personal data should be processed lawfully and only with explicit and detailed consent of the subject.
- Articles 12 to 22: These articles deal with the rights of the data subject to be informed of data collection, access data collected, rectify and/or erase personal data, port their data and restrict access to their data.
- Articles 24 to 43: These articles detail the necessary data protection measures such as imbibing data protection by default in the product/service/solution design and business workflows.
- Article 32: This article of the GDPR insists that organizations, “have the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”
GDPR Compliance Pointers for Nonprofits
Complying with GDPR goes far beyond cookie opt-ins on your website. It involves a department-wide understanding of the impact of GDPR and requires both technical and legal implementations. Here are some key pointers to help your charity/nonprofit comply with GDPR:
- Get buy-in from stakeholders and trustee boards on GDPR compliance.
- Re-examine your website, processes, products, services, tools, through the lens of GDPR.
- Map your data processes. Store or process user data only when and if required. The most secure data is no data. Identify the data you hold and the data you need to process/store. Document your ‘lawful basis’ for processing/storing the said data.
- Update privacy notices, add opt-ins and explicit cookie consents in plain language about the purpose of your cookies and trackers.
- GDPR takes a particularly stern view of how data of minors (under 16 years old) is processed. Tusla, a child welfare agency, was fined twice under the GDPR for wrongly disclosing minor data to unauthorized parties.
- Review and update employee, customer, benefactor and supplier contracts. Update privacy policies.
- Even if a third-party vendor and/or Cloud Service Provider processes your data, you still share the responsibility for its protection. The recent Blackbaud breach showed how nonprofit data breaches can percolate from their data processing vendor. Check that you have a written agreement in place with your vendors. Choose vendors that provide “sufficient guarantees” and carry out due diligence in accordance with GDPR standards. Verify that your CSP/MSP is compliant and secure.
- Verify that data transfers outside the EU are compliant with GDPR requirements. These include vendor data centers.
- Conduct a Data Privacy Impact Assessment (DPIA) and continuously improve ways of obtaining consent for collecting data.
- Enlist a resource/team to monitor your security processes and data protection mechanisms. Some organizations will require a dedicated Data Protection Officer (DPO).
- Fundraising is heavily data-dependent. The use of personal data for fundraising has been under considerable public and media scrutiny. Recently, a group of academics and privacy campaigners wrote an open letter asking charities to remove advertising trackers from their most sensitive pages to avoid hefty fines. The group, ProPrivacy estimated that combined fines for these data protection breaches could reach between £707m and £1.4bn.
- Document your data protection processes and invest in tools to protect personal data and safeguard customer privacy. The GDPR looks favorably on demonstrable compliance and gives concessions for efforts taken. Formulate an incident response procedure that includes an impact analysis and Business Continuity and Disaster Recovery Plan that can contain the damage and help recover from it.
- Set up processes to detect and report both internal as well as external data breaches. Early reporting is central to minimizing damage and reducing fines.
- Here are some useful resources from the Information Commissioner’s Office (ICO) and the Charity Finance Group.
Advantages of GDPR Compliance for Nonprofits
At the core of GDPR is an honest quest to enshrine customer data and shield privacy. This is in keeping with the express demands of the digitally savvy user of today who is increasingly concerned about protecting personal data. Complying with the GDPR furthers trust with your benefactors, donors, and stakeholders. It can help improve your NGO, charity or nonprofit’s rapport with a wide variety of stakeholders, and build an atmosphere of respect and transparency. With data privacy emerging as a central data protection trend of 2021, adhering to the high data privacy standards of GDPR, can be your nonprofit’s differentiator.
Ensure Demonstrable Recovery, a GDPR Mandate, With CloudAlly Backup…
Your donors, stakeholders, employees, and benefactors trust you with safeguarding their personal data. But did you know that SaaS data on platforms such as Google Workspace (formerly G Suite), Salesforce, Microsoft 365 (formerly Office 365), Dropbox, and Box, are vulnerable to data loss due to malware, ransomware, human/malicious error, and sync issues? This is why Article 32 of the GDPR states that organizations should “have the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”. Eliminate the risk of data loss, guarantee business continuity, and ensure compliance with CloudAlly SaaS backup for Nonprofits. Cloud-to-cloud, automated, fully encrypted backups on stringently secure AWS servers with unlimited storage and point-in-time recovery.
…At a Special Price Just for Nonprofits, Charities, and NGOs
We highly value your invaluable contribution to society. Don’t let the stress of data loss, damage to your charity’s reputation, and loss of customer trust hamper your noble goals. Secure all your SaaS data at a special price with our top-rated, secure backup solutions. Just for Nonprofits!