GDPR and What It Means for Nonprofits

Takeaways from an Expert Panel Discussion

by: Nicole Grossberg and Boris Kievsky

Last week, the Foundation Center hosted its “The Future of Philanthropy: Thriving in a World of Change” event. This all-day event opened up discussion about some of the large-scale technological and philanthropic changes taking place across the nation and the world, and how they relate to nonprofits and foundations.

At the event, dotOrg Strategy founder Boris Kievsky moderated a panel on the subject of on “Reaching Audiences in the Age of GDPR.” The expert speakers assembled for the discussion were Jon Dartley, Of Counsel at Perlman & Perlman; Crystal Mandler, Director of Business Insights at Foundation Center; Elizabeth Ngonzi, Adjunct Faculty at NYU Center for Global Affairs and Isaac Shalev, Founder & President at Sage70.

The event was live-streamed (full video at the bottom of this article), but if you couldn’t make it, we’ve put together some of the key takeaways your nonprofit should consider and actions you can take today.

What is GDPR?

GDPR is the “General Data Protection Regulation” that went into effect in May of 2018. Essentially it’s an (EU) European Union law that governs how organizations must steward the data that they collect to ensure that personal information is gathered and managed with the knowledge, consent and control of the individual to whom it pertains. Think of it as a law for businesses (nonprofit and for-profit alike), AND a bill of rights for citizens of the E.U.

The Panel on GDPR and U.S. Nonprofits

The natural first question was whether U.S. nonprofits should be concerned with this European law. The short answer is: YES.

What’s at Stake for Nonprofits?

Exposure. Whether you actively solicit information from people in the E.U. or not, your website and other tools may be collecting data about them. Under these new regulations, any organization that collects and/or uses data improperly can be fined the greater of:

  • €10 Million or 2% of their annual revenue
  • €20 Million or 4% of annual revenue

Note that this refers to revenue, not profit; that includes any funds coming into your organization. So a nonprofit or NGO is just as vulnerable. While the ability of the E.U. to collect these fines from U.S. organizations will still be tested, it is far better to err on the side of caution.

Falling Behind. Between the upcoming law in California (taking effect in 2020) and the general trend towards greater privacy in the wake of recent data breaches and public scandals, stronger regulation in the U.S. is all but a foregone conclusion.

Trust. GDPR is an attempt to give people control over their data. When your constituents—be they benefactors, beneficiaries, volunteers, or any other group—trust you with their information, you have an obligation to steward that data responsibly. A violation of that trust is much harder to bounce back from for nonprofits than it is for a giant for-profit like Uber or Facebook, which can spend millions on marketing and PR. Without mentioning names, Boris referred to a recent client that lost the public’s trust years ago and has been struggling to rebuild their image and donor base since.

Why GDPR is Particularly Challenging for Nonprofits

We know that nonprofits have fewer resources so this new policy automatically puts them at a disadvantage. Jon also referenced that for-profit companies have a leg up since they often have dedicated internal staff devoted to cybersecurity and privacy issues. Nonprofits typically have all employees wear many hats and satisfy more than one role, so privacy might seem to be a back-burner concern. However, nonprofits are increasingly the targets of hacking and data theft. Jon cited a survey that showed 63% of nonprofits suffered a data breach over the last 5 years.

GDPR applies to any company with a web presence (so basically, everyone) that interacts with or has web traffic from EU residents. You may not realize it, but your site most likely does get explored by EU citizens. Crystal Mandler shared that 4% of the Foundation Center’s website traffic comes from EU residents, which equates to 200,000 new users each year.

Unless you are looking at the data your site collects, you may not be conscious of the amount of EU residents that are visiting your site, donating to your nonprofit, or signing up for your newsletters.

The Benefits and Opportunities of GDPR for Nonprofits

Jon Dartley summed it up best, “there’s good news and bad news. The bad news is GDPR is here, and the good news is… GDPR is here.” While there might will be some painstaking hours involved to manage the process of becoming GDPR compliant, there are plenty of reasons to celebrate the changes this regulation brings.

We touched on integrating internal operations earlier but to dive in deeper to that, GDPR is an opportunity for nonprofits to clean up their data act, so to speak. Most organizations have separate systems or platforms they use to send email newsletters, store donor information, and manage volunteers. Centralizing the data where possible will not only create fewer points of vulnerability, but also give you a clearer vision of what data you may be collecting that you don’t actually use, and keeping longer than you need.

At the Foundation Center, Crystal says this has shed light onto their website traffic, the type of information they are getting, and what type of permissions they have. Even better, because GDPR policies have forced explicit opt-ins and some previous subscribers were asked to go back and “re-opt in,” it’s opened up a pool of qualified and engaged users. Many people were removed or removed themselves from the mailing list. But that lowers the cost of their communications, and their newsletter click-through rates and open rates have actually increased since GDPR policies were implemented because those who remained were keen to keep getting the newsletters.

GDPR Impact on Storytelling and Communication with Audiences

Elizabeth Ngonzi talks about her four keys to online communications for nonprofits. When you engage with donors online it’s important to remember the following:

  • Transparency — Be clear with the user on what you need them to do and how their personal information will be used. In the case of GDPR, this means telling them ahead of time and having them explicitly opt in for those communications.
  • Authenticity — Build credibility by making sure that the information you share with them is accurate in order to build trust with donors
  • Clarity — Know how explicit you need to be with terms and conditions and privacy policies. Make sure you know where these opt-ins and language needs to be on your site and that it’s clear and concise.
  • Relevance — Make sure that your communications are what your user or donor has signed up for. Use targeted communication to ensure the content you’re sending them is what they want to see, when they want to see it.

Isaac and Boris talked further about segmenting your data and your audience. Nonprofits should know how to speak to each of their audience avatars, and to look at the data on those audiences from every angle. You usually don’t want to send the same information to donors that you do to beneficiaries and, under GDPR, you may not be allowed to if they didn’t agree to it ahead of time. This might seem like a limitation but it’s actually a great way to exercise effective and targeted storytelling.

There were a lot more salient points and ideas covered in the hour-long panel. The questions from the audience were also salient and indicated that there is still a lot of confusion and the topic can feel overwhelming. To make it a little easier, the panel was asked what first steps organizations should take to get themselves moving in the right direction.

First (and Next) Steps to GDPR Compliance

All this information can seem overwhelming, so the panel concluded with advice on where to begin.

Here are steps to get your nonprofit started on becoming GDPR compliant:

  • Update Your Privacy Policy

    Make sure it’s current with the technology you’re using, and add all necessary GDPR revisions

  • Make sure your opt-ins are clear and explicit

    Do people know precisely what they’re signing up for at any point that they’re giving you information?

  • Consider a Cyber Liability Insurance Policy

    The reality today, is that no combination of technology and security measures are 100% safe and unassailable. You can protect your organization’s assets and exposure to liability damages with a an insurance policy.

  • Perform a Data Audit of Your Nonprofit

    Even if it’s an informal one, do an audit of the data you’re collecting, why, and how long you’re storing it. Note: this doesn’t just apply to digital data. Check those file cabinets, too!

  • Look at Your Vendor Agreements

    Most breaches happen on a vendor level, but your org can still be held liable according to their agreements. This is a good opportunity to renegotiate as needed.

  • Determine Your Specific Risks

    Educate yourself and identify your organization’s specific risks. Isaac recommends (and we agree) that ICO is a great place to get the information in clear simple language. Start here.

  • Get Buy-in (and Budget) from Your C-suite

    Make sure they understand the importance and benefits of GDPR compliance today, not at some point in the future. It will take some resources, so ask that they be appropriated.

  • Smaller Nonprofits Needn’t Be Overwhelmed

    If you are a young or small nonprofit, you are actually at an advantage, because you have fewer systems, processes and cultural habits to change!

Watch the Full Video

(The panel starts at 2:33:45)

Get the latest articles and nonprofit online news that can boost your mission, right in your inbox:

Want help with these strategies or other ways of increasing your impact? We’re happy to help.

Our course offers a great way to think about (and execute on) your online goals.