It's been more than three months since the most sweeping and stringent privacy regulations anywhere in the world were implemented in Europe. Now what?
It's a good time to review what aspects of the General Data Protection Regulation (GDPR) may affect U.S. nonprofits.
The GDPR, built on already existing legislation, has three important areas of emphasis. They are as follows.
Enhancing the
rights of citizens to control who has access to their data and what they can do with it while they have it, including the infamous "right to be forgotten." This right provides the citizen, in certain circumstances, the right to insist that data be deleted. It's been made clear that, in Europe, personal data belongs to the citizen to whom it relates.
Introducing a clear
accountability principle. It is no longer good enough to say that you are in compliance. Organizations must now have clear documentary evidence of decisions they have made regarding their collection and use of personal data, such as the appropriate legal basis under which they are operating. There must also be a clear audit trail of rights provided for personal data, when these were given (or retracted), and how they were discharged. There are many other areas that also now require mandatory documentation. These include the assessment of risks to personal data through its collection and processing. They also include evidence of reconsideration of these risks when an organization makes any changes to these processes.
Strengthening the
penalty regime for noncompliance with the legislation. In the most serious circumstances, organizations can now be fined up to 4 percent of their worldwide revenues. We have yet to see any significant fines levied. However, a complaint has been lodged by an activist group against Google and Facebook that could in theory result in fines of $9.3 billion. And there are other actions available to regulators that may hurt organizations just as much, if not more. These actions include the ability to demand that an organization stop processing personal data entirely.
Additionally, the EU made the legislation "extraterritorial" in nature. Extraterritorial means that, in theory, the regulatory requirements extend to any organization anywhere in the world that is processing the data of EU citizens.
Let's look at a couple of the more common questions that I am often asked in the U.S.
1. I'm a U.S.-based organization that doesn't work with anyone in the EU. Should I care about GDPR?
Are you really sure you hold no data on any EU citizens, including those who may have signed up to your service or organization while they were in the U.S.? If so, then no, there would not be a direct requirement for you to comply with the GDPR. However, if you have not done so recently, I would encourage you to perform a thorough review of the data you hold, where it's from, and how it's processed.
The underlying philosophy behind the GDPR is that citizens control their own assets — in this case, their personal data. Much of what is contained in the GDPR is aimed at clarifying those rights and encouraging (and ultimately, forcing) organizations to honor and respect those rights. There are many countries around the world that have either recently implemented similar privacy legislation or that plan to. If you have any international operations, then you should ensure that you do a thorough review of existing and upcoming privacy regulations in those countries that are relevant to you.
There are already specific pieces of U.S. legislation in relation to data privacy in the financial (Gramm-Leach-Bliley) and medical (HIPAA) sectors. There is also the newly passed California Consumer Privacy Act, which is similar to the GDPR in its approach and provisions. That law is due to come into effect on January 1, 2020 (although nonprofits are exempt from it).
2. I'm a U.S.-based organization that DOES work with EU citizens. Can I still send my newsletter?
Yes, but there are some things you will need to consider. If you are sending a purely informational newsletter, then there is less to consider. That's because you are probably operating under the "legitimate interests" basis.
However, if you are using the newsletter to also market your services, or those of other organizations, then you will need to gain consent to continue to do this. The definition of marketing would include any sort of promotional material, for example, promoting the aims of a nonprofit, and in particular, any campaigning or fundraising messages.
First, you should always provide a clear notice to the citizen explaining who you are, what information you hold, and what you will be using it for. You should also provide clear details of any other organization with which you might share the citizen's details.
You must also indicate clearly if the citizen's data is being stored or processed in a country outside of the EU. Plus, you must explain the risks in doing so and how you plan to protect that data to a standard in line with that existing within the EU.
Next, you will need to obtain consent from the subscribers to your newsletter and document this in a formal record. The consent given should be intentional, clear, and specific. It should also be in the form of a positive opt-in, made through an unambiguous affirmative action.
You cannot use prechecked boxes or any other method of consent by default. If you have not previously gained consent as mandated by the GDPR, then you should ask your subscribers to reconfirm their consent. You could do this the next time you issue an edition of the newsletter. However, be aware that you cannot assume consent from a "non-reply" to the request.
In addition to gaining the appropriate consent, you must also provide your subscribers with a clear opt-out (or unsubscribe) process. And, of course, you must record and honor any such requests that are made within 28 days.
You should also ensure that you keep your subscriber list and your consent records up to date. Plus, you must have a formal process for ensuring that the marketing preferences indicated are honored at all times.
Lastly, consent to marketing as a necessary condition for receiving the newsletter. You need to clearly document and demonstrate how this consent was freely given and why it was necessary to couple your marketing efforts and the newsletter together.
3. I've got EU citizen data on U.S. servers. Is that OK?
It depends. The U.S. is not considered to be an "adequate" country for the transmission of personal data from the EU. This is largely because there is no overarching law in the U.S. that guarantees that citizens are provided with the same rights and protections as the GDPR does in the EU.
There is currently an agreement between the EU and the U.S. called the Privacy Shield agreement. It allows personal data to be transferred between countries without specific consent when organizations sign up and comply with its requirements. However, it does not apply to nonprofits.
Because of this, you will be required to gain specific consent from the citizen for the personal data to be transferred to the U.S. This action also has to be coupled with clear notification of the transfer. It also must indicate how you intend to protect the data in the same way as is required in the EU. You also have to provide the citizen with the right to withdraw this consent at any time.
4. Can I share EU citizen data with partners?
Yes, but only if the fact that you are doing this is made clear to the citizen at the time that they provide their data and they consent to this. You would need to make it clear exactly which organizations are receiving the data and what they intend to do with it. It will not be acceptable to indicate broad categories of organization.
You must also provide the citizens with the right to withdraw their consent to this data sharing at any time. Importantly, if the partner organization intends to do any direct marketing of its own, then it will need to obtain consent directly from the individual concerned. It cannot rely on third-party consent.
You will also need to put in place a formal data-sharing agreement between you and your partners. This agreement should clearly indicate the nature of the relationship between you both and your respective roles in the processing of the data. There are specific legal considerations in putting these contracts together and the statutory responsibilities and liabilities of each party. You should ensure that a qualified lawyer has taken a look at them before you implement them.
Additional Resources: GDPR and Data Privacy for Nonprofits
About the Author
Giles Watkins has spent 30 years in consulting, including 21 years at Ernst & Young. At EY, he founded and led the global technology due diligence practice, sat on the board of the technology risk practice, and led the UK Privacy practice. In 2010, he set up his own boutique consulting firm in privacy and identity, which he subsequently sold to KPMG. At KPMG, he was the global privacy leader and also the partner responsible for cybersecurity services to some of its largest UK accounts. Since leaving KPMG, he has taken up board positions on several startups, both in the US and the UK, all connected with privacy, security, and identity in some way. He also sits on the ISO Standards Committee for Blockchain and Distributed Ledger Technology. He is a board member of the Distributed Ledger Foundation and the UK country leader for the International Association of Privacy Professionals.
