Nonprofits in the United States may think that because the vast majority of their donors are in the U.S., the General Data Protection Regulation that went into effect in May doesn’t apply to them. The GDPR is a European Union law, but it does have ramifications for organizations here.
Tal Frankfurt, founder and CEO of Cloud for Good, says that even though U.S. nonprofits may not have any donors from the EU, it’s possible that EU citizens may have done some research on their website or signed up for an e-newsletter.
“It doesn’t have to be donor information,” Frankfurt says. “If a U.S. nonprofit stores any information about an EU resident, that EU resident has rights under GDPR.”
Karl Hedstrom, IT director at the Nonprofit Technology Enterprise Network, an organization that works with nonprofits to improve their technology, says that as GDPR is deployed across the world, donors will grow to expect that U.S.-based nonprofits will comply. “Nonprofits will want to stay in the good graces of the donors,” he says.
Based on interviews with Frankfurt and Hedstrom, here are five GDPR tips for nonprofits.
1. Create Awareness of GDPR Among Your Nonprofit Staff
Get started, Frankfurt recommends, by bringing staff together to explain the basics of GDPR. Leaders should explain how the organization’s security and privacy policies need to change and make sure people leave the meeting understanding that they are responsible for protecting the client’s data.
2. Review Privacy Policies That May Affect Nonprofit Donors
Take a look at how the organization explains its privacy policies on its website and e-newsletter. The organization should develop a clear opt-in policy and use clear language about the cookies it collects when users visit the website or apply to receive the e-newsletter. Many of the recent cookie notices that users may have seen as they browse websites are a response to comply with GDPR.
3. Decide How the Nonprofit Will Anonymize Data
Under GDPR, clients have what’s known as “the right to be forgotten,” which means that if a client asks for anonymity, the organization must delete or “anonymize” the data. NTEN’s Hedstrom says many organizations will choose to anonymize data, which in most cases will mean they will assign a number to a client as opposed to retaining their name in the database. With this approach, the nonprofit still has access to transaction data but the donor stays anonymous.
4. Rethink How the Organization Manages Its Systems
Cloud for Good’s Frankfurt says that when nonprofits do start to anonymize data, many will have a major challenge ahead of them. Many organizations have separate systems for the newsletter, online donations, a donor management system, program management and even volunteer management, he says. When a client asks to anonymize data, the nonprofit might have to execute the request multiple times. As a result, Frankfurt encourages nonprofits to use GDPR as an opportunity to integrate these disparate systems. Moving forward, staffers won’t have to look in different places for information about a donor, and the integration will make it easier for organizations to comply when donors request to be forgotten.
5. Look at GDPR as an Opportunity, Not an Obstacle
Cloud for Good’s Frankfurt says that U.S. nonprofits should see GDPR as an opportunity to revamp how the organization handles data and privacy. It can also present a valuable opportunity to re-engage with donors the nonprofit hasn’t had contact with in a long time, he says. Nonprofits should send out an email to donors on their list explaining their rights under GDPR and finish by asking them how the organization can more effectively serve them.