The Catholic Fundraiser

GDPR for Catholic Nonprofits: What Europe's New Data Law Means for Catholic Nonprofits

Posted by National Catholic Development Conference on 5/8/18 1:00 PM


The General Data Protection Regulation (GDPR), EU legislation to protect data, will go into effect on May 25. The GDPR applies to any business or organization that offer goods or services or collects data from residents in the EU, regardless if they are for-profit or not-for-profit entities.

While NCDC cannot provide legal guidance on this issue, we feel it is critical for Catholic fundraisers to understand the scope and impact this policy will have on any organization that maintains personal data.

We aren't in Europe. Why do we need to worry about this?

Regardless of where you are located, the law applies to you if:

  • You have supporters/maintain data of any individuals in the EU
  • You host events in the EU
  • Residents of the EU attend your events
  • You have employees in the EU
  • You have a website with a version in a language spoken in EU countries (in addition to English)

Even if you don’t believe you have constituents in the categories above (which is unlikely), these regulations are widely believed to be the standard for best practice of data protection and maintenance. Meeting them will assure your organization prioritizes the protection of your supporters’ and donors’ data.

Fines for noncompliance could reach up to 4% of global annual revenue or €20 million (whichever is higher). There will be no grace period for compliance, based on the two years’ notice leading up to enforcement.

What kind of regulations does the GDPR include?

The primary focus of the GDPR is data protection and right to privacy. In the U.S., data is considered property of the collecting organization. However, Europe views privacy as a personal right, therefore personal data belongs to the individual, not the organization collecting their information. The GDPR protects personal data ranging from name, email address, photos, and banking information, as well as protecting users’ rights like accessing, correcting, and deleting their data.

Recommended Reading: Guide to General Data Protection Regulation (GDPR) from the U.K. Information Commissioner’s Office

Under the GDPR, organizations must have a “lawful basis for processing” user data, of which there are six and that vary depending on the intent of use of the data. Depending on the “lawful basis” under which you are operating, constituents are entitled to certain individual rights, ranging from the right to be informed to rights in relation to automated decision making and profiling.

What are the biggest concerns for Catholic nonprofits?

According to OneTrust, the primary concerns for nonprofits regarding the GDPR are acknowledging the rights, preferences, and consent of their supporters and donors.

“The enactment of GDPR reiterates the four conditions that need to be present in order for consent from supporters to be valid:

  1. Data must be freely given: The individual must consent without force, and they don’t have to give unnecessary details in order to donate or participate in an event
  2. Data submission must be informed: Communication must be very clear with regard to what is being asked of them, and how they opt in or out
  3. Data consent must be specific: An individual’s consent for one specific occasion can’t be applied to future instances, and can’t be changed later without further approval
  4. Data consent must depend upon a positive action to indicate: An individual must tick a box, click “yes,” or complete a form to indicate consent. Absence of action isn’t allowed.

“To avoid fines, charities need to start thinking about how they’ll ensure that supporters and donors aren’t contacted once they’ve withdrawn consent or have objected to the charity’s use of their information.”

What should Catholic nonprofits be doing now to comply?

After determining if your data practices require you to be subject to the GDPR (which is likely), we recommend reviewing what personal data is collected by your organization and how it is being used, including any third parties with which you share your data (mail houses, email providers, etc.). Responsibility of compliance must be organization-wide; this is not simply a development department or IT department issue.

Depending on the amount of data and how it is used, you may wish to consult with legal counsel.

We also recommend reviewing the U.K.’s Information Commissioner’s Office’s Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now.

Read more and prepare for GDPR compliance:

Subscribe to the Catholic Fundraiser for tips and tactics for professionals in the Catholic fundraising community.