Is Your Nonprofit at Risk? Donor Data Protection Is a Global Priority
On May 25, 2018, the European Union set into law the General Data Protection Regulation. Although it is intended to protect people living in Europe, you might recall when it came into effect, how your email inbox got cluttered with hundreds of messages from practically every organization that you subscribe to—asking you to agree to their new terms. There’s a reason this happened.
If your nonprofit has not sought to thoroughly protect the data of your donors, volunteers and even your website subscribers, you are placing your organization at a significant risk, which can cost your charity as much as 4 percent of your total year’s revenue for failing to set appropriate safeguards on information.
GDPR Affects the US, Too
Although the GDPR is European law, it affects people and organizations around the world, including U.S. nonprofits. Here’s why: the GDPR requires that entities anywhere in the world protect the information of European citizens and residents. The rationale behind the GDPR is that Europeans have the right to be forgotten—and protected—in the digital world and also that Europe wanted to update laws that existed, but were found to be inadequate.
However, if you think that you’ll skate through because the U.S. does not have this law, you’re making a serious mistake on several grounds.
1. One, can you be confident that every single person on your database resides in the U.S. exclusively? In today’s global world, that’s not something most organizations can know for sure.
2. Further, certain U.S. states have started to legislate laws concerning data information and privacy, which will only grow in the coming years, especially as every more massive data breaches occur, such as the recent Marriott breach, which exposed information of 50 million people. People increasingly want protection from thieves, hackers and even corporations and the government of very personal, private and sensitive information.
3. Imagine a few scenarios that can compromise your nonprofit, even unintentionally. A person in a European country gets onto your website and signs a form that allows them to enter a telephone number or address that is non-U.S., or a person makes a donation to your organization using information that is not U.S. based, such as European currency. Just these two situations would create legal exposure for your nonprofit.
The reality is that we all have a right to privacy in the U.S., even if it is not expressly stated in the Constitution. However, the Bill of Rights does protect privacy in the 1st Amendment concerning religion, 3rd Amendment regarding the home, the 4th Amendment related to unreasonable searches and the 5th Amendment concerning the right to protect oneself against self-incrimination. Today, our leaders and politicians continue to try to guide the nation in that spirit, especially when their constituents to whom they are beholden become more vocal about the issue. It’s fair to say that the public is tired of having their private information compromised, exposed or shared, even if it is with regulators.
Paul D'Alessandro, JD, CFRE, is founder and chairman of D'Alessandro, Inc., a fundraising and strategic management consulting company. He is also a lawyer and a tax law specialist for nonprofits.