GDPR Compliance: What International Nonprofits Need to Know
Global nonprofits have a few extra rules to follow. In this article, we share how you can get—and stay!—compliant.
Global charities operating and fundraising in different countries often face unique challenges and stringent rules. One of the most significant requirements is full compliance with the General Data Protection Regulation, or GDPR.
CharityEngine is proud to serve international clients and help them navigate compliance concerns. Our decades of experience serving growing and enterprise nonprofits that operate globally allow us to share our knowledge and help our clients as they strive to make the world a better place.
In this article, we will help nonprofits understand GDPR and its implications for charities and provide guidance on achieving compliance (and keeping it!). Ready?
What is GDPR?
In short, it’s a regulation to protect the personal data of residents of the 27 European Union (EU) countries. It’s designed to give people more control over their personal data and how it’s used. It was also intended to standardize the law across EU member states, making it easier to enforce.
The regulation applies to any organization processing personal data of EU residents, regardless of where the organization is located. CharityEngine is located in the United States, but we must comply with GDPR when serving our international clients.
Key components of GDPR include:
- Seven Data Protection Principles that address the processing of personal data
- Rights of Data Subjects that detail the rights individuals have to control and access their personal data
- Consent for processing personal data must be given (and it must be easy to withdraw)
- Data Protection Officers might be required to oversee the strategy of an organization
- Breach Notifications must be reported within 72 hours
- Penalties for noncompliance are stiff!
- International Data Transfers must adhere to GDPR’s level of protection
The regulation, which came into effect in 2018, applies to any company in the EU and outside companies doing business in the EU or with residents of member states.
GDPR Compliance for Nonprofits
Compliance requires collaboration between CharityEngine and our clients. While we and other fundraising software vendors serving international nonprofits must focus on security, there are specific requirements for charities. Here are some of them:
- Appointing a Data Protection Officer (DPO) if you’re processing large amounts of sensitive data, such as financial and personal data.
- Establishing and receiving consent to process personal data.
- Respecting data subject rights, including access, corrections, and erasures.
- When processing involves high risk, conduct a Data Protection Impact Assessment.
- Maintain detailed records of data processing.
- Ensure appropriate safeguards when transferring data across borders.
- If the company isn’t located in the EU but does business with EU residents, appoint an EU representative.
While this may seem like a lot of work, it protects donors. CharityEngine is PCI-certified and SOC 2-certified, meaning data privacy is always at the forefront of our operations, regardless of where our clients operate. When an additional regulation requires compliance, we immediately address it.
How Nonprofits Can Stay GDPR Compliant
Data security requires ongoing attention, both from your CRM vendor and within your nonprofit. Adhering to best practices will protect donors and keep you compliant.
We recommend the following:
- Understand GDPR compliance. This article covers only a portion of it; many resources offer more details.
- Appoint a DPO if needed.
- Check the credentials of any software vendors you engage. Understand the different levels of certification and work with the companies that have achieved the most rigorous certifications. For example, companies most focused on data security will be certified in PCI, SOC, and ISO 27001.
- Regularly audit your data protection policies. Meet with your team and conduct a data mapping exercise in which you identify and document the personal data you collect, process, store, and share and how that data flows through your organization. The mapping exercise can be repeated periodically as you audit data.
- Review the GDPR compliance list and ensure you’re adhering to the rules.
- Train your staff in data protection principles and practices and ensure they understand the importance of vigilance.
- Stay informed about regulatory changes or updates, both domestic and international. Work with your vendors to stay on top of this.
- Update privacy policies and ensure they’re transparent and easily accessed.
- Always obtain consent from donors...for everything, from email to processing donations.
- Be prepared for data breaches. While a vendor such as CharityEngine will always be vigilant and stop most fraudulent attacks before they ever reach the payment processor, it’s essential to keep your eye on your systems and raise the alarm if anything seems off. As with any database, working with a trustworthy partner with a proven track record can help, but security, like compliance, is a shared responsibility. Always follow standard security protocols, such as complex passwords and two-factor authentication.
- Keep the data protection conversation going. Charities that speak loudly and often about donor data protection are much more likely to be attractive to prospective donors.
What if you aren’t compliant? The financial punishment can be up to 4% of global annual revenue from the preceding financial year. Beyond that, your charity can risk a reputation hit and damaged donor trust. It’s worth it to continue to monitor compliance!
Having the Right Partner
While CharityEngine was created to make it easier for all nonprofits to raise money and impact the world, we don’t think we’re the right system for every organization. There are plenty of options if you’re shopping!
Do consider which system is the best for your needs as they are today and what you’ll need as you grow. We often recommend evaluating software based on where you want to be in six months or a year because the right system will ensure you get there. While cost is a common consideration, there are other methods of evaluating a partner that are equally, if not more, important.
With the right partner, compliance responsibility is shared, communication is open, and both parties are working toward the same noble goals.
If you are an international charity and would like to discuss GDPR compliance, or if you are any nonprofit looking for a partner to help you grow, contact us or sign up for our newsletter.