The General Data Protection Regulation (GDPR) protects the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data, and to ensure the free movement of personal data within the Union. The regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. Like most European directives and binding regulation, caselaw and definitions of terms used in the GDPR provide for further clarity. Such clarity helps to understand whether the regulation applies, and to which extent, to non-profit organizations as well. The territorial scope of the regulation includes the processing and monitoring of personal data relating to the behavior of individuals when this behavior takes place within the Union. As such, GDPR for non-profits relates to personal data of natural persons within the EEA.
Non profit organizations are characterized by a combination of collective, public or social motives. The non-distribution constraint requires that the purpose of the non profit organization to benefit financially from potential revenue. Even though most non-profit organization have a special administrative and fiscal status, most rules and regulation applies to them as well. Most non-profit organizations are funded by voluntary contributions of donors. Fundraising and donor acquisition involve marketing strategies tailored towards, often, individuals.
Due to the scope and nature of the activities, as well as the internal organization of non-profits, regulatory compliance must be effective and efficient at the same time. Efficiency allows the non-profit to allocate adequate administrative and financial resources without wasting valuable time and money. The efforts of the organization to comply with the GDPR must be effective to ensure compliance and avoid regulatory intervention.
How non-profits comply with the GDPR
The GDPR applies to any enterprise that deals with the personal data of individuals. The key data protection principles must thus be warranted by all non-profit organizations including charities and political organizations. Since the GDPR applies to non-profits, there must be lawful grounds for processing whilst these lawful grounds must be established by evidence. Accordingly, non-profit organizations are subject to the accountability principle as well. In short, this means that data controllers must demonstrate this accountability and hold evidence of their compliance.
Alongside accountability, the GDPR aims to secure lawfulness, fairness and transparency. Such principles are applicable to enterprises that collect, process and control personal data, and protect the natural person whose data is used. Additionally, the collection, controlling and processing of personal data must be accurate whilst serving a purpose. Consequently, only personal data that is adequate, relevant and limited to what is necessary to accomplish the purposes for which it is processed, may be collected, controlled and processed. Following the storage limitation, the purpose of the collection, controlling and processing determines the maximum length of the storage of such data. Personal data cannot be held longer than it is needed and must be deleted or anonymized afterwards. The final data protection principle is described in Article 5(1)(f) and defines integrity and confidentiality of the data processor.
Regulatory compliance can be time consuming when those handling personal data of natural persons manufacture and maintain their own data protection framework. Therefore, GDPR compliance and data protection software can be the solution for non-profit organizations. GDPR for non-profits therewith can be efficient and effective at the same time while minimizing time, effort and expenses.
Prevention of Data Breaches and GDPR Violations
Privacy of natural persons must be safeguarded against breaches and other infringements. Regulation is seen as a measure to guide both natural persons as well as those who collect, process and control their data to protect the applicable data. The lack of a commercial objective of the organization does not refrain compliance with the GDPR for non-profits. As such, non-profit organizations must consider the data protection principles to comply with the regulation.
Compliance is one, but the prevention of data breaches and GDPR violations is equally important. Non-profit organizations are vulnerable for external abuse and cyber attacks. Appointing a full-time compliance officer for data protection may impose a heavy and uncontrollable financial burden on the organization. Therefore, GDPR for non profits needs through planning.
When Things Go Wrong…
The GDPR Regulation highlights in Article 83 the maximum administrative fines for breaches and infringements in the amount of ten million Euro, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding year, whichever is higher. Yet, high-pitched penalties require severe violations and compliance should not become a witch-hunt.
Violations can be alerted, investigated, halted and penalized. Limited breaches are treated in a distinct way from extensive and large scale infringements. Yet, prevention is always better than the cure since valuable time, money and resources is allocated to repair the damages. On a side note, reputational damages following the data breach can have a serious impact on non-profit organizations.
When things go wrong, whether this involves a data breach that requires the organization to answer to Data Subject Access Requests, holding breach reports, or discuss the matter with the supervisory authority, appropriate guidance is recommended. In particular when it comes to dealing with supervisory authorities, there are no second chances and the organization should avoid penalties and potential liability towards individual data subjects. Therefore, effective and efficient GDPR compliance for non-profits is necessary and a professional partner is recommended.
Your GDPR partner should help you to comply with the regulation, and in case of a data breach: investigate and reconcile data breaches; inform data subjects and develop a strategy with you; prevent and protect against further breaches; but most importantly, deal with the supervisory authority so you don’t have to.
Start Today: Effective and Efficient GDPR Compliance
All enterprises, and non-profit organizations in particular, should seek a professional interplay between the management of an exceptional internal organization on one side, and privacy protection of natural persons and adequate GDPR compliance on the other side.