General Data Protection Regulation
(GDPR) Tip Sheet
The EU has a new set of data security regulations set to be enforced beginning May 25th, 2018. These new rules will apply to organizations located within the EU that process the personal data of individuals in Europe and to non-EU-based organizations that offer goods or services to individuals in Europe.
As a general rule, if your website doesn’t accept donations or payments in Euros and doesn’t offer translations in EU languages, then your organization isn’t considered to be offering goods or services to individuals in Europe. (Just because somebody in the EU found your site and signed up or donated, that doesn’t require you to comply with GDPR.)
Many US-based organizations are choosing to change their policies to comply with GDPR out of an abundance of caution and because the assumption is that these regulations or similar regulations will arrive in the US before long.
Enhanced Consent Collection – Users must give decisive, unambiguous consent and have the ability to retract it at any time.
Legitimate Interests – Personal data should only be collected when necessary for the normal operations of your organization.
Personal Rights – Individuals retain a number of rights, including Right of Access, Right to Rectify, and Right of Erasure, among others.
Transparency – Reasons for data collection and plans for the use of such data must be made perfectly clear to the data subject.
Data Breach Notification Requirements – In case of a breach of personal data, users and the ICO must be notified within 72 hours.
Penalties for Noncompliance – Penalties can be as much as 4 percent of an organization’s annual worldwide revenue or €$20 million, whichever is greater.
Accountability – All organizations impacted by GDPR must have an individual responsible for managing their compliance, including the formal appointment of a Data Protection Officer (DPO) in many cases.
- Make sure that key decision makers within your organization are aware of GDPR and are factoring it into all decisions moving forward.
- Designate an individual to take responsibility for data protection compliance.
- Never hide or pre-check a checkbox that gives your organization permission to access a user’s personal data.
- Be prepared to delete a constituent’s personal data upon request within 30 days of receiving that request and to show proof of consent if ever a constituent asks for it.
- Have a plan for notifying affected data subjects and the ICO within 72 hours in case your constituents’ personal data should ever be breached while in your care.
- Consider purchasing a cyber insurance policy.
GDPR compliance is an important topic that should be discussed at the executive level of your organization, including your legal department. While Charity Dynamics takes data security very seriously and always factors related considerations into our work, it is the responsibility of each individual organization to confirm that you are prepared to comply.
Interested in Our GDRP Readiness Audit?
Contact us to hear how we can help your organization quickly prepare for General Data Protection Regulations.