The EU GDPR: What Your US Organization Needs to Know
The European Union General Data Protection Regulation (GDPR) is a set of comprehensive regulations governing the processing of personal information of individuals across Europe. Going into effect on May 25, 2018, the GDPR’s sweeping regulations will greatly expand the applicability of the laws currently in place. The GDPR will apply to all organizations that process personal data of individuals located in the EU, regardless of whether the processing takes place in the EU, so US organizations that could be subject to the GDPR should begin taking steps towards compliance.
Personal Data
The GDPR is based on 8 principles of good information handling, designed to better protect individuals in a world where information can be stored, moved, used, and misused with increasing speed and facility. “Personal data” under the GDPR goes beyond similar terms in the US and includes:
- Names
- Addresses
- Social Security numbers
- Photos
- Email addresses
- Banking information
- Social media posts
- Medical information
- IP addresses
The GDPR also expands consumer rights regarding their personal data, including the right to be informed, access information, correct errors, erase data, restrict processing, and the right to move or copy personal information from one source to another.
Penalties for Non-Compliance
Organizations in breach of the GDPR may face heavy fines under a tiered approach, ranging from:
- Up to 2% of annual global turnover, or €10 Million – whichever is higher – for lower penalty tier breaches, such as failing to keep records in order, failing to notify the supervising authority and data subject of a security breach, or failing to conduct impact assessments; or
- Up to 4% of annual global turnover, or a maximum of €20 Million – whichever is higher – for higher penalty tier breaches, such as serious infringements involving an individual’s privacy rights, including insufficient consent to process data or a breach of international transfer requirements.
A range of other sanctions may also be enforced against organizations that fail to comply with the GDPR, including warnings and reprimands, bans on data processing, orders for data to be restricted or erased, or the suspension of data transfers to third countries.
Enforcement
Each EU member state shall establish a public authority to apply and enforce the GDPR. Though the extra territorial nature of the GDPR also has entities on both sides of the Atlantic questioning its reach, given no US-EU civil enforcement mechanisms for the GDPR have been negotiated, US entities having a physical presence in the EU are subject to enforcement, and even US entities with no physical presence should prepare for compliance in the event such enforcement mechanisms are put in place.
Applicability to Nonprofit Organizations
The GDPR applies to all organizations that process personal data in the EU, including nonprofit organizations. The regulations explain that “direct marketing” includes promoting an organization’s aims and ideals. Thus, the direct marketing rules apply to the promotional and fundraising activities of nonprofits
Specifically, a charity contacting individuals to appeal for funds, or to attend a meeting, would be covered by the direct marketing rules. Nonprofit organizations should ensure processing for marketing or fundraising purposes is compliant with the GDPR and should take particular care when communicating by text or email, since such communication requires specific consent, even to existing supporters.
Affirmative Consent for Email Marketing
Compliance with the GDPR begins with identifying a legal basis for processing data, depending on the purpose for the data and the relationship with the individual. For help in determining a basis, the UK Information Commissioner’s Office (ICO) created a lawful basis interactive guidance tool.
For email marketing, consent is most often the appropriate basis. Consent under the GDPR is not simply a general or implied consent, but requires positive affirmation from the data subject prior to processing their personal information. Thus, the data subject must demonstrate their specific and explicit consent by an unambiguous positive action.
Requests for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to the consent. The request should be clear and distinguishable from other terms and conditions, using clear and plain language. It must also be as easy to withdraw consent as it is to give it.
Notably, silence, pre-ticked boxes, or inactivity are not sufficient consent under the GDPR. For example, it would not be sufficient to email your existing database the information to bring their consent up to GDPR standards, while merely giving the option to withdraw consent.
A limited exception to the consent requirement, known as the “soft opt-in,” may be available to nonprofits, but only for any commercial products or services offered. To trigger this exception, a sale or negotiation for sale must take place. Moreover, nonprofits may not rely on this exception when sending promotional or fundraising communications, even to existing supporters. Any communication promoting the aims or ideals of the organization requires specific consent.
Next Steps
On May 25, 2018, all organizations, including US nonprofits, that process personal information of European individuals, will need to comply with the GDPR or face heavy penalties. Begin taking steps today to ensure your organization properly obtains, manages, and stores personal data. Please let us know if we can assist you as you navigate these new regulations.