Insights
Publications

Europe’s New Data Law Went Into Effect on May 25 – Is Your Nonprofit GDPR Compliant?

6/4/2018 Articles

Does your organization collect personal data such as names, email addresses or other personally identifying information as part of its activities, or contract with a third party to do so?  If not, then it may be possible that Europe’s new data law does not apply to you.

But if your organization keeps mailing lists, distributes a newsletter, fundraises, sells products directly or indirectly, or has employees or program activities, and any of those reaches residents in Europe, then it is time to hit the pause button and make sure your organization has fulfilled its obligations to properly protect that information and obtain the appropriate consents required under GDPR.

What is GDPR?

The General Data Protection Regulation (“GDPR”), which became effective on May 25, 2018, was designed to enable individuals to better control their personal data, to know who stores, processes, and has access to their data, and even to request access to or deletion of it.  GDPR applies to certain kinds of data inside the European Union, Liechtenstein, Norway and Iceland (the “EEA”), but also to data that flows outside of the EEA involving persons from the EEA.  Thus, U.S.-based organizations may be subject to the law.  GDPR requires enhanced security, data protection, appropriate technical and organizational measures, transparency, record keeping, and accountability.  It also requires a 72-hour personal data breach notification to authorities.  

“Personal data” is broadly defined to include any information relating to an identified or identifiable natural person, including their name, address, social security number, email address, banking information, medical information, or IP address.  It also extends to online identifiers specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person. 

GDPR requires that organizations holding protected personal data, whether nonprofit or for-profit, in the EEA or elsewhere, must have a lawful basis for processing personal data, including for example, with the individual’s consent, in order to perform a contract, to comply with legal obligations, or for the legitimate interests of the organization. Because GDPR does not grandfather in personal data collected prior to its enforcement, processing of previously collected personal data may continue only if the manner by which such data was collected would have complied with GDPR in the first place.  Thus, where processing of data was based on consent, the consent obtained must meet the standard required by GDPR. 

The Consent Standard:

GDPR requires that consent be freely given, specific, informed, and unambiguous, requiring a statement or clear affirmative action.  The UK’s Information Commissioner’s Office suggests that, to meet the consent standard under GDPR, the affected organization should:

  • not use pre-ticked boxes, opt-out boxes or any other method of default consent;
  • be clear on why your nonprofit wants the data and what your nonprofit will do with it;
  • name any third parties who will rely on the consent;
  • make it easy for people to withdraw consent and tell them how (e.g., unsubscribe links in every email/newsletter);
  • keep evidence of consent – who, when, how, and what your nonprofit told people; and
  • avoid making consent a precondition of a service.

How to comply with GDPR:

An organization must first determine whether its activities bring it within the scope of the GDPR, and then identify staff members with the most knowledge about what personal data is received from individuals in the EEA and how it is being used.  Next, prepare a plan of action to identify what internal and external policies need to be revised or adopted (e.g., privacy policy), which agreements need to be amended (e.g., commercial fundraisers, vendors), and any other steps that need to be taken to comply with GDPR, such as acquiring new consents from individuals in the EEA and establishing procedures for ensuring that donors are only contacted when they’ve consented and have not withdrawn consent. 

For many nonprofits, achieving compliance may be as simple as updating their privacy policy and submitting an email to obtain consent for future processing of personal data.  For others, it may require an enterprise-wide review of its employees, activities, and corresponding contractual obligations.  Failure to comply with GDPR could result in significant penalties and could also lead to adverse publicity and lost trust of donors, grantors, and others in the community. 

 

Firm Highlights

News

Housing Action Coalition and Farella Braun + Martel File Lawsuit Challenging the City of San Mateo’s Housing Element

Today, the Housing Action Coalition (HAC) and Farella Braun + Martel LLP filed a lawsuit against the City of San Mateo, challenging its recently adopted Housing Element in order to make the city comply with...

Read More
News

San Mateo signed off on its housing element this week. It's already facing a lawsuit.

Farella's Tom Mayhew, CJ Higley, Daniel Contreras, Vanessa Ing, and Alyssa Netto were mentioned in the Daily Journal article "San Mateo signed off on its housing element this week. It's already facing a lawsuit."...

Read More
Event

Clean Repowering: How to Capitalize on Fossil Grid Connections to Unlock Clean Energy Growth

Farella’s Linda Gilleran and Chris Rendall-Jackson and Rocky Mountain Institute’s (RMI) Uday Varadarajan are presenting the session “Clean Repowering: How to Capitalize on Fossil Grid Connections to Unlock Clean Energy Growth” at the ACG...

Read More
News

City of San Mateo Sued by Nonprofit Over New Housing Plan

Tom Mayhew spoke to CBS News about the lawsuit filed by Housing Action Coalition (HAC) and Farella against the City of San Mateo. The lawsuit challenges the city's recently adopted Housing Element in order to...

Read More
News

Special-Servicer Work Heats Up, Revealing CMBS Tensions

Restructuring, insolvency, and creditors rights partner Gary Kaplan provided expert commentary in the Law360 Real Estate Authority article "Special-Servicer Work Heats Up, Revealing CMBS Tensions." In the article, Gary noted that there is usually...

Read More
Event

21st Annual Stanford Digital Economy Best Practices Conference

Erik Olson is speaking at the 21st Annual Stanford Digital Economy Best Practices Conference for the session "Track A: Content Moderation." To register for the event, please click  here .

Read More
Publication

REFRESH: Loot and Private Foundation Rules – Part 1

Welcome to  EO Radio Show - Your Nonprofit Legal Resource . In this episode, I'm happy to refresh  EO Radio Show  episode 21, the first of our two episodes exploring private foundation rules using the...

Read More
Publication

No Three-Year Bar on Copyright Damages (For Now): SCOTUS Issues Opinion in Warner Chappell Music, Inc. et al. v. Sherman Nealy et al.

In a 6-3 majority decision in Warner Chappell Music, Inc. et al. v. Sherman Nealy et al. , the Supreme Court held that the Copyright Act entitles a copyright owner to recover damages for any...

Read More
Publication

REFRESH: Loot and Private Foundation Rules – Part 2

Welcome to  EO Radio Show - Your Nonprofit Legal Resource . In this episode, I refresh  EO Radio Show  episode 22, the second of our two episodes exploring private foundation rules using commentary on the...

Read More
Publication

A New Overtime Threshold Takes Effect in Mere Weeks: HR Should Assess Its Impact Now

On April 23, 2024, the U.S. Department of Labor (DOL) issued its final rule increasing the minimum pay requirements under the Fair Labor Standards Act (FLSA) for various exempt “white-collar” employee categories beginning on...

Read More