The General Data Protection Regulation (GDPR) was a privacy regulation of the European Union (EU) that went into effect in May 2018. This legislation was created to help create stronger protections on the personal data of EU citizens and to require all businesses that control or process personal data of EU citizens are doing so in a secure and transparent manner.
GDPR regulations apply to non-EU businesses and nonprofits just the same. All organizations that have collected personal data of EU citizens – whether they are employees, donors, volunteers, or beneficiaries – are affected and will be responsible for GDPR compliance.
The Information Commissioner’s Office (ICO) defines that nonprofits can be ‘data controllers’ and ‘data processors’ and thus subject to GDPR compliance in several ways, which may include:
Similarly, individual fundraisers also need to be educated about GDPR since they could be acting as data controllers if they collect supporter data while fundraising on behalf of a nonprofit organization. If you have a current or upcoming peer-to-peer campaign, it’s your responsibility to inform fundraisers and ensure their processes are compliant as well.
In order for your nonprofit to be compliant with GDPR, you must be transparent and meticulous when it comes to the collection and processing of personal data. This applies to the data of employees, volunteers, donors, and supporters—anyone from whom your nonprofit collects personal information. Organizations must have a written policy and procedure for how they handle personal data and abide by the privacy principles.
The legislation also requires compliance with the eight principles for data protection which are listed below.
Nonprofits are still allowed to use marketing tactics to promote, fundraise, and engage with donors, but the data processing must be done according to the six lawful bases outlined by GDPR legislation.
The following list is taken from the GDPR and Charitable Fundraising Introduction guide and as they have written it, the six lawful bases are:
A single piece of software can never ensure GDPR compliance as it is a combination of organizational practices and data architecture across an organization.
Virtuous fully supports GDPR compliance across the scope of our application (as laid out in our Terms and Conditions) and is dedicated to the privacy and security of our customer’s data. Because Virtuous is also HIPAA compliant, our policies around PII encryption and projection typically go far beyond the standard requirements of GDPR.
The following lists outlines the common practices and concerns around GDPR—and how Virtuous helps support organizations in achieving GDPR compliance.
Every Virtuous customer has unique needs around GDPR. There is no one-size-fits all approach to compliance within an organization. In some cases, GDPR may even run contrary to IRS guidelines or your Donor Bill of Rights. Virtuous can work with customers during implementation to ensure that the practices and data collection patterns are in place at your organization to adhere to GDPR where applicable.