GDPR for Nonprofits with International Supporters

The General Data Protection Regulation (GDPR) is European Union law protecting the privacy of EU residents. If your nonprofit collects information from people in the EU—donors, program participants, email subscribers—GDPR applies to you. This is true regardless of where your organization is located. An American nonprofit with European donors must comply with GDPR when handling their data. The penalties for noncompliance are significant: up to 4% of annual revenue or 20 million euros, whichever is higher. Understanding GDPR requirements and implementing compliance is essential for nonprofits with European constituents.

GDPR is complex, but its core requirements are straightforward: be transparent about data collection, get consent before processing data, protect data security, allow people to access and delete their data, and notify authorities of breaches. This article walks through GDPR basics and practical implementation for nonprofits without legal teams.

Does GDPR Apply to You: Understanding Scope

GDPR applies if you collect "personal data" from EU residents. Personal data is any information identifying or describing a person: name, email, address, phone, IP address, cookie data, or donation history. It applies if you process this data, meaning collect it, store it, use it, or share it. It applies even if you don't explicitly ask for location; if someone from the EU provides information, GDPR applies.

GDPR applies regardless of where your organization is. An American nonprofit, a Pakistani nonprofit, a nonprofit anywhere in the world must comply with GDPR if handling EU residents' data. GDPR applies to the data, not the organization's location.

Some activities are exempt. Purely personal use (a founder keeping their own contacts) isn't covered. Some data processing for specific legal purposes (law enforcement, security) has exemptions. Most nonprofit fundraising and program activities aren't exempt. When in doubt, assume GDPR applies.

Core GDPR Requirements: Key Obligations

GDPR's core requirements address transparency, consent, rights, security, and breach notification. Implementing these addresses most compliance needs.

Transparency: You must tell people what data you collect, why, how you use it, how long you keep it, and what rights they have. Publish a privacy policy addressing these points. Make it clear and understandable. Don't use legal jargon. EU residents have the right to understand your practices.

Consent: You must get consent before processing personal data. Consent means affirmative agreement, not passive silence. Unchecked checkboxes or pre-checked "I agree" boxes don't meet consent requirements. Consent must be freely given, specific, and informed. When collecting email addresses, consent means checking a box saying "I agree to receive emails." When collecting sensitive information, consent is even more important.

Right to access: EU residents have the right to request and receive a copy of their data. You must provide it within 30 days in a common format (CSV, PDF, etc.). Implement an easy process for data access requests.

Right to be forgotten/deletion: EU residents have the right to request deletion of their data in many circumstances. You must delete it or explain why you can't (for example, legal obligations). Implement a deletion process and actually delete data (not just marking it as deleted).

Right to data portability: Residents can request their data in a machine-readable format and have it transferred to another organization. This mainly affects large organizations, but be aware it's a right.

Data security: You must implement appropriate security measures. This means encryption, access controls, regular updates, and staff training. The measures should be appropriate to the sensitivity of data and your organization's size. Nonprofits don't need bank-level security, but they do need reasonable measures.

Breach notification: If a breach exposes EU residents' data, you must notify them and EU authorities within 72 hours. This is a strict timeline. Have a process in place before a breach occurs.

Implementing GDPR Compliance: Practical Steps

Compliance doesn't require completely restructuring your organization. It requires creating processes and documentation.

Create or update your privacy policy. Address what data you collect, why (lawful basis), how long you keep it, who you share it with, what rights people have, and how they exercise those rights. Make it specific to your organization and activities. "We collect donor names and addresses to issue tax receipts and maintain relationships" is clear. "We collect personal data" is vague.

Implement consent processes. When collecting email addresses, add: "I agree to receive emails from [organization]." When collecting donation information, add: "I agree to [organization] contacting me about my donation and using my information as described in our privacy policy." Make consent affirmative, not passive.

Implement data access and deletion processes. Create simple web forms where EU residents can request their data or deletion. Train staff to handle these requests. Document that you received the request and what action you took. This documentation is important for compliance audit.

Document your data processing. Create a simple list: what data do you collect, from whom, why (lawful basis), how do you use it, how long do you keep it, who has access, where is it stored. This documentation (a Data Processing Inventory) helps you understand your practices and demonstrates you've thought through compliance.

Implement reasonable data security measures. This means encryption for sensitive data, secure passwords, regular updates, access controls, and staff training. It means knowing what data you have, who has access, and protecting it accordingly.

Have an incident response plan addressing breach notification. If data is breached, you need to notify EU authorities and affected residents within 72 hours. Document your process in advance.

GDPR Practical Considerations: Special Cases

Some situations require special attention. Sensitive data (health, religious affiliation, political opinions) gets additional protection. Marketing emails require specific consent (affirmative opt-in, not opt-out). Donations might have special considerations if used for advocacy. Child data (under 16, or 13 in some countries) requires parental consent. If your nonprofit handles these, understand the specific requirements.

International transfers: If you transfer EU data outside the EU (to US servers, for example), this requires safeguards. The EU has mechanisms for this (Standard Contractual Clauses), but it's complex. If using cloud services in the US, ensure they have appropriate data protection mechanisms in place.

Data Protection Impact Assessment: For high-risk processing, GDPR requires a Data Protection Impact Assessment (DPIA). Most nonprofits don't need this, but if processing large amounts of sensitive data or using automated decision-making, understand the requirement.

GDPR compliance for nonprofits with European supporters requires transparency, consent, data security, and breach notification. Implementing these practices demonstrates respect for donor privacy and protects your organization from significant penalties. GDPR compliance is not optional if you have EU data.