The General Data Protection Regulation (GDPR) is Europe's privacy law. If you have supporters in Europe and you collect their data, GDPR applies. It's stricter than US laws and has real penalties ($20K-40K per violation, or 2-4% of revenue, whichever is higher).
But GDPR isn't that complicated for nonprofits. Follow these rules and you're compliant.
Who Does GDPR Apply To?
GDPR applies if you: process personal data of people in the EU, and you're based anywhere (including US). "Offer services" to EU residents means you collect any information from anyone with an EU email address or who indicates they're in the EU.
You don't need many EU supporters for it to apply. Even five donors in Germany trigger GDPR.
If all your supporters are US-based: GDPR doesn't apply. But check (scan your contact list for .fr, .de, .nl, .co.uk, etc.).
GDPR's Core Principles
1. Lawful Basis for Processing
You need a legal reason to process data. For nonprofits, the lawful basis is usually: explicit consent (they agreed) or legitimate interest (you need their data to provide services).
For donors: you have lawful basis (they chose to donate). For newsletter subscribers: you need consent (they opted in).
2. Transparent Privacy Policy
Make clear what data you collect, how you use it, who you share it with, how long you keep it, and what rights people have. Write it plainly (not legal jargon).
3. Explicit Consent for Secondary Uses
Someone gives a donation. You can thank them and send receipts (that's expected). But do you want to add them to your newsletter? Ask explicitly. "May we send you updates?" with checkbox. Don't assume consent.
4. Data Minimization
Collect only what you need. Don't collect "just in case." Collect name, email, address for donor communications. Don't collect employer, wealth estimate, political views unless necessary.
5. Retention Limits
Delete data when you don't need it anymore. Former donors: keep for 3-5 years (in case they return). Then delete or anonymize. Prospects who never engaged: delete after 2 years.
6. User Rights
People can ask: what data do you have? (You must tell.) Can I access it? (You must provide.) Can I delete it? (You must delete.) GDPR gives people control.
7. Data Breach Notification
If personal data is breached, notify within 72 hours to relevant authority (EU data protection office). You probably also have to notify affected people.
Practical Implementation
Step 1: Audit EU supporters. Count how many supporters are in EU countries. If zero, GDPR may not apply (but check). If more than zero, you need to comply.
Step 2: Update privacy policy. Add clear language about GDPR rights. Explain consent mechanisms. Make it simple and understandable.
Step 3: Implement consent. For EU supporters, get explicit consent before sending marketing emails. Existing supporters: you probably have lawful basis already (they're donors), but send them email saying "we're updating our privacy practices" and give them chance to opt out.
Step 4: Data audit. What data do you have on EU supporters? Do they really need it all? Delete unnecessary data (employer, wealth estimate, etc.). Keep only essential.
Step 5: Retention policy. Write a data retention policy specifying how long you keep data. Example: "Donor data: 5 years after last gift. Prospect data: 2 years after last engagement. Unengaged: delete." Document it.
Step 6: Respond to requests. Set up a process for responding to "what data do you have about me?" requests. You have 30 days to respond.
Common GDPR Questions
Do we need a Data Protection Officer? Only if you're a large organization (250+ employees, process sensitive data at large scale). Most nonprofits don't.
What about cookies on our website? GDPR requires consent before tracking cookies. Add a cookie banner asking for consent. Analytics cookies (Google Analytics) need consent. But essential cookies (login, security) don't.
Can we share EU donor data with other nonprofits? No, without asking them first. A donor gives to your nonprofit, not to everyone. To share data, ask: "Can we share your information with [partner organization]?"
What if we use a US vendor? They must comply with GDPR if they process EU data. Require a Data Processing Agreement that includes GDPR compliance. Most US vendors (Google, Salesforce, HubSpot) have DPAs including GDPR terms.
GDPR vs US Privacy Law
GDPR is stricter. If you comply with GDPR, you're probably compliant with US laws (California, NY, etc.). So: if you have any EU supporters, adopt GDPR standards for everyone. It's easier than maintaining two different standards.
Key Takeaway
GDPR is strict but not magical. Be transparent, get consent, minimize data collection, delete old data, respect user rights. Treat your EU supporters' data with the same care as your most protective donors deserve.
Frequently Asked Questions
What if we're not sure if we have EU supporters?
Search your donor database for email addresses from EU countries (.de, .fr, .nl, etc.). Ask supporters during signup: "What country are you in?" You'll get a clear picture. If you find even a few, comply with GDPR (it's not that burdensome).
Do we need a separate privacy policy for EU vs US?
No, one privacy policy for everyone is fine. Make it GDPR-compliant, and it will satisfy everyone. It's actually easier than maintaining two versions.
What's the difference between consent and legitimate interest?
Consent: they actively agree ("yes, email me"). Legitimate interest: you have a business reason to process data without asking (e.g., you process a donation—you need their data to complete the transaction). For donors: legitimate interest. For newsletters: consent.
Can we keep EU donor data indefinitely?
GDPR doesn't specify a maximum retention period, but you need a reason. "In case they return as a donor" is a legitimate reason for 3-5 years. After that, delete or anonymize. Keeping data with no reason violates the retention principle.