Through an arrangement with TechSoup, PND is pleased to offer a series of articles about the effective use of technology by nonprofits.
It's been six months since the most sweeping and stringent privacy regulations anywhere in the world were implemented in Europe. Now what?
It's a good time to review which aspects of the General Data Protection Regulation (GDPR) may affect U.S. nonprofits.
Built on already existing legislation, GDPR has three important areas of emphasis. They are as follows:
- Enhancing the rights of citizens to control who has access to their data and what they can do with it while they have it, including the infamous "right to be forgotten." This right provides the citizen, in certain circumstances, the right to insist that data be deleted. It's been made clear that, in Europe, personal data belongs to the citizen to whom it relates.
- Introducing a clear accountability principle. It is no longer good enough to say that you are in compliance. Organizations must now have clear documentary evidence of decisions they have made regarding their collection and use of personal data, such as the appropriate legal basis under which they are operating. There must also be a clear audit trail of rights provided for personal data, when these were given (or retracted), and how they were discharged. There are many other areas that also now require mandatory documentation. These include the assessment of risks to personal data through its collection and processing. They also include evidence of reconsideration of these risks when an organization makes any changes to these processes.
- Strengthening the penalty regime for noncompliance with the legislation. In the most serious circumstances, organizations can now be fined up to 4 percent of their worldwide revenues. We have yet to see any significant fines levied. However, a complaint has been lodged by an activist group against Google and Facebook that could, in theory, result in fines of $9.3 billion. And there are other actions available to regulators that may hurt organizations just as much, if not more. These actions include the ability to demand that an organization stop processing personal data entirely.
Additionally, the EU made the legislation "extraterritorial" in nature. Extraterritorial means that, in theory, the regulatory requirements extend to any organization anywhere in the world that is processing the data of EU citizens.
Let's look at a couple of the more common questions I am often asked about GDPR in the U.S.
1. I'm a U.S.-based organization that doesn't work with anyone in the EU. Should I care about GDPR?
Are you really sure you hold no data on any EU citizens, including those who may have signed up to your service or organization while they were in the U.S.? If so, then no, there would not be a direct requirement for you to comply with GDPR. However, if you have not done so recently, I would encourage you to perform a thorough review of the data you hold, where it's from, and how it's processed.
The underlying philosophy behind GDPR is that citizens control their own assets — in this case, their personal data. Much of what is contained in GDPR is aimed at clarifying those rights and encouraging (and ultimately, forcing) organizations to honor and respect those rights. There are many countries around the world that have either recently implemented similar privacy legislation or that plan to. If you have any international operations, then you should ensure that you do a thorough review of existing and upcoming privacy regulations in those countries that are relevant to you.
There are already specific pieces of U.S. legislation in relation to data privacy in the financial (Gramm-Leach-Bliley) and medical (HIPAA) sectors. There's also the newly passed California Consumer Privacy Act, which is similar to GDPR in its approach and provisions. That law is due to come into effect on January 1, 2020 (although nonprofits are exempt from it).
2. I'm a U.S.-based organization that DOES work with EU citizens. Can I still send my newsletter?
Yes, but there are some things you'll need to consider. If you are sending a purely informational newsletter, then there is less to consider. That's because you are probably operating under the "legitimate interests" basis.
However, if you are using the newsletter to also market your services, or those of other organizations, then you will need to gain consent to continue to do this. The definition of marketing would include any sort of promotional material, for example, promoting the aims of a nonprofit, and in particular, any campaigning or fundraising messages.
First, you should always provide a clear notice to the newsletter subscriber explaining who you are, what type of information you collect and hold, and what you'll be using it for. You should also provide clear details of any other organization with which you might share the subscriber's details.
You must also indicate clearly if the subscriber's data is being stored or processed in a country outside the EU. Plus, you must explain the risks in doing so and how you plan to protect that data according to a standard aligned with standards existing in the EU.
Next, you'll need to obtain consent from subscribers to your newsletter and document that consent in a formal record. The consent given should be intentional, clear, and specific. And it should be in the form of a positive opt-in, made through an unambiguous affirmative action. You cannot use pre-checked boxes or any other method of consent by default. If you have not previously gained consent as mandated by GDPR, then you should ask your subscribers to reconfirm their consent. You could do this the next time you issue an edition of the newsletter. However, be aware that you cannot assume consent from a "non-reply" to the request.
In addition to gaining the appropriate consent, you must also provide subscribers with a clear opt-out (or unsubscribe) process. And, of course, you must record and honor any such requests that are made within twenty-eight days.
You should also make sure that you keep your subscriber list and your consent records up to date. Plus, you must have a formal process for ensuring that subscribers' marketing preferences are honored at all times.
Lastly, you need to make consent to marketing a necessary condition for receiving the newsletter and clearly document and demonstrate how that consent was freely given and why it was necessary to couple your marketing efforts and the newsletter together.
3. I've got EU citizen data on U.S. servers. Is that okay?
It depends. The U.S. is not considered to be an "adequate" country for the transmission of personal data from the EU. That's largely because there is no overarching law in the U.S. which guarantees that U.S. citizens are provided with the same rights and protections as are citizens of the EU under GDPR.
There is currently an agreement between the EU and the U.S. called the Privacy Shield agreement. It allows personal data to be transferred between countries without specific consent when organizations sign up and comply with its requirements. However, it does not apply to nonprofits.
Because of this, you will be required to gain specific consent from EU citizens for their personal data to be transferred to the U.S. This action has to be coupled with clear notification of the transfer and must indicate how you intend to protect the data in the same way as is required in the EU. You also have to provide EU citizens with the right to withdraw their consent at any time.
4. Can I share EU citizen data with partners?
Yes, but only if the fact you are doing so is made clear to EU citizens at the time they provide their data and they consent to it (i.e., you need to make it clear exactly which organizations are receiving the data and what they intend to do with it). It is not acceptable to indicate broad categories of organization.
You must also provide EU citizens with the right to withdraw their consent to your data-sharing arrangements at any time. Importantly, if your partner organizations intend to do any direct marketing of their own, they will need to obtain consent directly from the individuals concerned (i.e., they cannot rely on third-party consent).
You will also need to put in place a formal data-sharing agreement between you and your partners. This agreement should clearly indicate the nature of your relationship and your respective roles in the processing of the data. There are specific legal considerations in putting these contracts together and the statutory responsibilities and liabilities of each party, so be sure that a qualified lawyer has taken a look at them before they are implemented.
Giles Watkins has spent thirty years in consulting, including more than twenty years at Ernst & Young. At EY, he founded and led the firm's global technology due diligence practice, sat on the board of its technology risk practice, and led its UK Privacy practice. In 2010, he set up his own boutique consulting firm, which he subsequently sold to KPMG. He currently serves on the boards of several startups, both in the US and the UK, as well as on the ISO Standards Committee for Blockchain and Distributed Ledger Technology. He is, in addition, a board member of the Distributed Ledger Foundation and the UK country leader for the International Association of Privacy Professionals.
This work is published under a Creative Commons Attribution-NonCommercial-NoDerivs 4.0 International License.