The General Data Protection Regulation (GDPR) came into effect on 25th of May 2018. If your non-profit organisation has directors, employees, grantors, donors or a means of marketing, you are most definitely subject to the requirements of the GDPR. Compliance with GDPR is not only important in terms of respecting data subject’s rights, or to avoid fines up to €20 million or 4% of the organisation’s annual turnover, but also to maintain the trust of donors, stakeholders and those to whom you provide a service.
The impacts of GDPR for non-profit organisations relate primarily to data held about your service users; your donors; and your staff or volunteers. Each of these groups have different privacy requirements and must be accommodated in your data handling processes and data protection measures.
Service users that your organisation works with may include children, vulnerable adults or individuals in a time of some need. The personal data you collect about these service users – depending on the services you provide – may include sensitive personal information (now known as special categories of data under GDPR). These special categories of data extend beyond traditional personal data elements such as name, address, phone number, etc, and include information which could potentially be used to discriminate against someone, such as their ethnicity, racial origin, medical history, disability status, sexual preference, or criminal history and so forth. Often this information is a vital part of the services you provide, or the use of your services may heavily imply such information about an individual.
Donors are key to most not-for-profit organisations. In order to maintain their trust and support, good data protection practices are required. In particular, you must determine how you contact donors and the lawful basis for doing so. GDPR and the ePrivacy Directive allow for donor contacts with their consent, or as a legitimate interest where the data subjects have previously donated and supported your organisation. Documentation of this lawful basis is key part of maintaining compliance. You must also avoid sharing personal data without the appropriate controls.
The personal data of your volunteers and staff must similarly be protected and safeguarded, in particular as relates to their own special categories of data. Volunteers and staff data must be trained in data protection measures, in particular as relates to data breach management; subject rights’ requests. Only through appropriate documentation, training and ongoing oversight can your organisation become compliant with the GDPR’s requirements and remain so in the future.