Nonprofit groups, including faith-based organizations, often collect information about members and visitors. Privacy is always a concern when gathering and storing personal data. The concern may be greater now due to the General Data Protection Regulation (GDPR) enacted by the European Union (EU). Why would a law passed in Europe affect your US-based nonprofit group? Communication between companies and residents of different countries is easier than ever before, but with the potential for privacy issues.
What is the GDPR?
It’s a set of guidelines passed by the EU in 2018 regarding the gathering and processing of certain information from EU residents. Key features of the GDPR include:
- Telling visitors to a site what information will be collected;
- Notifying people when data breaches occur;
- Assessing a site’s data security, hiring additional staff if necessary;
- Anonymizing or pseudonymizing data, which means hiding the consumer’s name using a client number or pseudonym.
Another important component of the GDPR – the “right to be forgotten” – means that users have to give explicit consent for their data to be collected and stored.
Isn’t this just for European-based, for-profit organizations?
GDPR guidelines may affect companies outside Europe, whether for-profit or non-profit. The key is whether an organization, wherever located, gathers data from EU residents. In fact, GDPR regulations may apply if a resident of the EU just conducts research on a website or requests a newsletter.
What kind of data does your nonprofit group collect?
While reviewing your nonprofit group’s online activities, you might be surprised at how much information you gather. Privacy laws like the GDPR may affect how you deal with this data.
Generally, personal data is anything related to an identifiable person, including:
- Biographical information: like name, nationality, birth date, and family members.
- Contact Information: Physical address, email address, and phone number.
- Online Information: IP address, location, passwords, and email address.
- Payment Information: Credit card and bank account numbers.
Your group may not collect all of this data. It’s possible you may not be aware that your site is collecting some data, like IP addresses and locations.
Will Europe’s GDPR affect your nonprofit group?
It might. Nonprofit groups based in the United States may have to take the following actions to comply with the GDPR:
- Add opt-out boxes on sign-up forms or include a place for the user to voluntarily select to opt-in.
- Add GDPR-compliant disclaimers or warnings to websites asking visitors’ consent to information-gathering activities.
- Review information technology procedures, especially if related to protecting sensitive personal data.
- Develop new procedures where needed.
- Avoid harsh GDPR penalties by speaking with an attorney who understands the needs of nonprofits.
The Church Law Center of California advises churches and other nonprofits on how to protect themselves from risk while furthering their mission. Call us today at (949) 892-1221 or reach out to us through our contact page.