Is Your Nonprofit at Risk? Donor Data Protection Is a Global Priority
On May 25, 2018, the European Union set into law the General Data Protection Regulation. Although it is intended to protect people living in Europe, you might recall when it came into effect, how your email inbox got cluttered with hundreds of messages from practically every organization that you subscribe to—asking you to agree to their new terms. There’s a reason this happened.
If your nonprofit has not sought to thoroughly protect the data of your donors, volunteers and even your website subscribers, you are placing your organization at a significant risk, which can cost your charity as much as 4 percent of your total year’s revenue for failing to set appropriate safeguards on information.
GDPR Affects the US, Too
Although the GDPR is European law, it affects people and organizations around the world, including U.S. nonprofits. Here’s why: the GDPR requires that entities anywhere in the world protect the information of European citizens and residents. The rationale behind the GDPR is that Europeans have the right to be forgotten—and protected—in the digital world and also that Europe wanted to update laws that existed, but were found to be inadequate.
However, if you think that you’ll skate through because the U.S. does not have this law, you’re making a serious mistake on several grounds.
1. One, can you be confident that every single person on your database resides in the U.S. exclusively? In today’s global world, that’s not something most organizations can know for sure.
2. Further, certain U.S. states have started to legislate laws concerning data information and privacy, which will only grow in the coming years, especially as every more massive data breaches occur, such as the recent Marriott breach, which exposed information of 50 million people. People increasingly want protection from thieves, hackers and even corporations and the government of very personal, private and sensitive information.
3. Imagine a few scenarios that can compromise your nonprofit, even unintentionally. A person in a European country gets onto your website and signs a form that allows them to enter a telephone number or address that is non-U.S., or a person makes a donation to your organization using information that is not U.S. based, such as European currency. Just these two situations would create legal exposure for your nonprofit.
The reality is that we all have a right to privacy in the U.S., even if it is not expressly stated in the Constitution. However, the Bill of Rights does protect privacy in the 1st Amendment concerning religion, 3rd Amendment regarding the home, the 4th Amendment related to unreasonable searches and the 5th Amendment concerning the right to protect oneself against self-incrimination. Today, our leaders and politicians continue to try to guide the nation in that spirit, especially when their constituents to whom they are beholden become more vocal about the issue. It’s fair to say that the public is tired of having their private information compromised, exposed or shared, even if it is with regulators.
If you’re a nonprofit leader, you’re probably familiar with the 990 IRS tax form, where you list major donors to your organization on Schedule B. It is considered confidential information, and disclosure of their private data can bring your organization substantial penalties by the IRS. However, states like New York and California have tried to force nonprofits to have an obligation to report the private information of major donors on Schedule B to regulators in those respective states. However, there has been significant push-back with lawsuits seeking to ensure that donor information can remain private.
Everyone knows the big five technology companies, which are Facebook, Apple, Google, Amazon and Microsoft. If you’ve been keeping an eye on the news, you’re familiar with the global discussions about privacy as these companies harvest every possible piece of data on everyone using their platforms (or just surfing the Internet), so they can then make a profit. Facebook and Google are the most infamous because together they had 63 percent of advertising spends in 2017 from the U.S., which is significant market share.
The public, and by extension, governments and regulators are having an ongoing debate about how, or even if, to develop laws that will protect information—including that of donors to nonprofits—in the years ahead. I suspect there will come a time when it will be done because these businesses have no competitors within their respective industries and immense amounts of data, which is money and power.
In closing, let’s circle back to the GDPR. As I mentioned, the world is having a discussion and enacting laws to try to reign in some of the power of the big tech companies and also the information that is harvested by all businesses and, yes, even charitable organizations. A few things that your organization can do to not fall out of compliance with not only the U.S. regulators, but also global governing bodies, is to:
1. Familiarize yourself with the most prominent data protection law on the planet, the GDPR.
2. Ensure if your forms and website gathers information from non-U.S. residents to remain compliant.
3. Ensure that data security is a significant priority for your organization.
4.Create data and information policies that ensure donor information is given the priority and high-level security that it deserves.
Paul D'Alessandro, JD, CFRE, is founder and chairman of D'Alessandro, Inc., a fundraising and strategic management consulting company. He is also a lawyer and a tax law specialist for nonprofits.