Why nonprofit organizations should prepare for the General Data Protection Regulation

woman working in an office sitting at her desk typing

GDPR—the General Data Protection Regulation is here. After two years, this European regulation goes into effect Friday, May 25. Here are a few observations about GDPR from our perch as in-house counsel to an international non-profit organization that lacks a physical presence in the EU:

  • It’s not about us
  • No one is ready
  • Doing nothing is not a good option
  • It’s going to be OK

European regulators were not thinking about Brookings or organizations like us in developing GDPR. The primary targets in their cross-hairs were social media companies and cloud service providers in the business of data collection. Nonetheless, the broad scope of the rules capture almost everyone and anyone who touches data originating in the European Union or belonging to an E.U. citizen. Whether we like it or not, non-profit organizations from Brookings and other think tanks to traditional charities like the March of Dimes and the Red Cross have to comply with GDPR.

To say no one is ready is likely an exaggeration. Many large, highly regulated organizations with businesses that are dependent on data—think health care, banking, retail—have invested millions to become GDPR compliant. However, anecdotal evidence suggests that some non-profits, particularly smaller organizations with small or non-existent legal teams, may be taking a “wait-and-see” approach. While this is not a tack we’d advise, it is not completely irrational either.

As already noted, nonprofits probably weren’t top of mind for European regulators. It’s going to take some time for most EU countries to establish the regulatory infrastructure to enforce GDPR, and we would be surprised if nonprofit organizations outside of the digital or social media space were regulators’ first targets. Regardless of these rationales, the potential price of becoming a test case is high. Further, an equivalent to a private right of action exists under GDPR that permits nonprofits to sue in the public interest. Like regulatory regimes everywhere, enforcement action in response to complaints is likely. It just takes one disgruntled person to complain.

So what is a resource-constrained nonprofit to do? Our answer is as much as you can within commercially reasonable parameters. The biggest hurdle many companies and organizations face is simply knowing what data they have and where it is. Answering this threshold question is a prerequisite for compliance, but is not as straightforward as it may seem. Sure, most of us know what information we collect on users visiting our websites, from donors and in our customer relationship management systems. But what about information kept in “personal” Outlook contact lists or spreadsheets?

Because GDPR requires organizations to be able to identify and erase data, it is not enough to delete someone’s data from “official” repositories if they ask. To be completely compliant, you should also delete the data of someone requesting erasure from any systems your organization controls. This brings us to another important point: a cursory review of GDPR’s requirements makes it obvious that achieving compliance requires working across organizational functions and with third-party vendors who may provide services to your organization using your data.

In our case, we are taking the approach that wherever possible anyone visiting our web site or “doing business” with us, regardless of where they come from, will be protected as required by GDPR. The communications team who run our website, our chief information officer, and legal team are all working together to tackle various items we have prioritized to become compliant. Seeking informed consent for various uses of data by visitors to our website is just one example. But everyone in the organization will have a role to play, even if it is as minor as deleting information found in their Outlook contact lists if an individual requests that we do so. In order to play that role, they will need to know enough about GDPR to be sensitive to the issues and to know who to contact if they have questions. So for decentralized, matrixed organizations like ours, educating our community will become an increasingly big part of the compliance plan.