KPM

Reimbursement Policy Protecting Your Non-Profit Against Financial Threats Non-Profit Retirment Plan Look Internally To Fill Non-Profit Guide To Planned Giving Financial Statement Auditing Process Flexible Budget Rules Of Form W-9 Potential Obstacles Of Going Global Advertising Payments To Non-Profits Searching For New Staffers Operate Your Non-Profit 501(c)(6) Board Meeting Minutes Planned Gifts Diversity For-Profit Subsidiary IRS Compliance Merging Non-Profits Return a donation Internal Controls Term Limits Pay transparency Accountable Plan Fundraising Disaster Plan Audit Conflict-Of-Interest HR Function Volunteer Risk non-profit tax reporting Cryptocurrency Donations Culture

How The European Union’s (EU) Data Protection Regulations Might Affect U.S. Non-Profits

Your non-profit may have paid little attention to the EU’s General Data Protection Regulation (GDPR), which took effect May 25, 2018. The GDPR revises standards for privacy rights, information security, and compliance in the EU. Yet it also might apply to U.S.-based organizations, such as your non-profit.

Big steps beyond

GDPR requirements are comprehensive and go far beyond existing U.S. privacy standards. They address:

  • Data security & data governance
  • Consent to processing
  • Mandatory breach notification
  • Access to personal data & data erasure (the right to be ‘forgotten’)
  • Data portability
  • Cross-border data transfers

Organizations must notify the appropriate EU authority within 72 hours after becoming aware of a data breach. By contrast, U.S. states’ breach notification laws require notification “without unreasonable delay,” with the shortest timing at 30 days, while the Health Information Portability and Accountability Act allows 60 days.

The regulations define ‘personal data’ broadly to include such identifiers as name, address, Social Security or tax identification number, and email address. Location data and online identifiers such as cookies or IP addresses also are considered personal data.

Notably, GDPR rules apply to entities outside the EU that process or hold the personal data of ‘data subjects’ who are physically in the EU. It does not matter where the processing takes place or whether the subjects are EU residents.

Rights of individuals

To comply with the GDPR, your non-profit must obtain consent from individuals to collect their personal data. This means the person takes affirmative action, such as clicking on an “I agree” statement, and the personal data you already possess is not “grandfathered in.” You must obtain consent on that data or purge it completely from your systems (including employees’ spreadsheets and Outlook contact lists).

You also must disclose to individuals the data you collect on them upon request, so you will need to keep close track of such information. And if individuals ask to be forgotten, you must delete all of their data or anonymize it.

Proceed with caution

A serious violation of the GDPR can bring a penalty as high as 20 million euros (about $23 million) or four percent of the violator’s annual revenue. Questions remain about enforcement in the U.S., but that is no excuse not to abide by the rules and develop a compliance plan now. Contact us if you have questions.

Related Articles

Talk with the pros

Our CPAs and advisors are a great resource if you’re ready to learn even more.