Last month’s blog only skimmed the surface of what the European General Data Protection Regulation (GDPR) means for you and how your organization must process, store and delete the personal data of EU residents starting May 25. The focus was on communications, but what about fundraising? Fundraising usually has a large communications component, so the same rules apply, if you do all of your development work in-house. Of course, many nonprofits rely on third-party vendors to bring in personal donations, and that makes things more complicated.
First things first: know your GDPR lexicon.
The two most important terms here are “data controller” and “data processor.” Data controllers are entities that determine the purposes and means of the processing of personal data. Under the GDPR, your organization is a data controller and primarily responsible for any donor or potential donor’s personal data.
“Data processors” do exactly what you’d expect: they process and compile data for data controllers. Third-party fundraising companies are data processors, and they share some of the burden of responsibility with data controllers. Additionally, they must provide data controllers with their own evidence as to how they comply with the GDPR, and they may not subcontract to any other data processor without express written permission of a given controller.
To be clear: passing on data to a data processor, does not mean that your organization — the data controller — is absolved of any responsibility for your constituents’ personal data.
An Online Fundraising Scenario Under the GDPR
Your organization wants to hold an online auction to raise money, so you hire a company to post auction lots on their site and process the personal data of bidders for you. They are data processors collecting information to give to you, the data controller.
Here’s where it gets dicey. Online auction houses can and often do act as data controllers even though they are also working as data processors on your behalf.
To make your auction as successful as possible, you will send emails through your own channels (Constant Contact, MailChimp, etc). Separately, the vendor will use personal data they have stored for their own use to reach out to potential bidders. These are individuals who have participated in past auctions — possibly yours, possibly other organizations’ — and who have agreed to have the auction house store their personal data for ongoing online communications.
Using their own stored data and not data you have provided or data that was previously processed and stored on your behalf, means the auction house becomes a data controller for that specific personal data. Your organization is unaffected. However:
- If the targeted individuals have previously bid on any auction benefiting your organization and your vendor contract did not specifically lay out how long bidders’ personal data would be stored, you are still acting as a data controller.
- If a bidder is currently participating in your auction and their data is currently being processed on your behalf, you are still acting as a data controller.
What could go wrong in this GDPR scenario and how can you prepare for it?
The vendor could fall victim to a data breach. The first concern is assigning responsibility. Under the GDPR, data processors and data controllers each have specific actions to take.
Firstly, make sure your contract with the vendor clearly states how long they’ll keep personal data, what they’ll do with the data, how to report data breaches, and how to coordinate requests from data subjects before you sign on the dotted line.
Secondly, under the GDPR, the data processor must contact data controllers within 72 hours of learning of the breach. Controllers, in turn, must contact those affected by the breach. Having a communications plan in place is key for taking timely action, and consider that you’ll have more than one audience to reach.
Individuals who gave their information to the auction house and whose data is currently being stored by the vendor on your behalf must receive an email explaining the situation and what actions are being taken to resolve the issues. It’s also a good idea to tell your supporters how you plan on working with any vendor to protect their personal data in the future.
In theory, you’re not responsible for informing individuals whose information is no longer being stored or processed on your behalf. However, if your supporters gave the auction house permission to store their data, the vendor will of course have to contact them about the data breach and they will likely have concerns about your organization. Better for you to address their concerns, and possibly provide them with steps to have the vendor disclose how their personal data is being used. EU residents have the right to know why and for how long their data is being stored, and they have the right to have their data deleted.
The Most Important Lesson Learned: Data security cannot be an afterthought
Making sure your organization’s data security protocol is in line with the strict rules of the GDPR can feel overwhelming, especially when the threat of large fines looms. Our auction example demonstrates how your annual fundraiser can easily blur the lines between data controllers and data processors, leaving you wondering what your role and responsibilities are. It’s important to realize, though, that the GDPR is codifying a concept your organization should have made made a fundamental principle all along: “privacy by design and privacy by default.” We all have to think about data privacy from the beginning of any project, and through its entire life cycle.