GDPR Compliance Quick Guide for U.S. Nonprofit Organizations and Associations

Date: February 26, 2018

The General Data Protection Regulation (GDPR) is a privacy regulation of the European Union designed to give individuals control over their personal data. The GDPR protects the privacy of individuals regardless of their nationality when their data is collected when they are located in the European Union, Iceland, Liechtenstein or Norway (EEA). For example, the personal data of an organization’s employee, independent contractor, or volunteer located in the EEA may be protected by the GDPR even if that individual is a U.S. citizen and resident. 

The GDPR has a broad territorial scope that may apply to nonprofit organizations and associations in the United States. We have listed some common scenarios for U.S. associations: 

  • Does your organization have members in the EEA?
  • Does your organization host events, conferences, educational or training programs, seminars, meetings, or administer exams in the EEA?
  • Does your organization host the list of events above in the United States that are attended by individuals from the EEA?
  • Does your organization certify individuals in the EEA?
  • Does your association have employees, independent contractors, volunteers, or vendors in the EEA?
  • Does your association have a website with a version in a language spoken in EEA countries (in addition to English)?
  • Does your association have an affiliate or subsidiary or other physical presence in the EEA? 

If the answer is yes to any of these questions, your association may be subject to the requirements of the GDPR.

As the GDPR takes effect on May 25, 2018, it is advisable to start preparing for compliance if the GDPR applies to your organization. Given the extensive nature of GDPR requirements, information and sources suggest that the majority of U.S.-based nonprofit organizations and associations are not in compliance with GDPR, and likely will not be in full compliance in the next few months.  With that, one key advice is NOT to make any representation to the public, in your contracts, or in any privacy policies, that your organization is in compliance with the GDPR at this time, or even suggest or imply GDPR compliance in its communications to potential data subjects. If any reference to the GDPR is made on your organization’s website or in communications to data subjects, that reference must accurately reflect your organization’s GDPR then-current status of practices and compliance efforts. 

As a first step towards GDPR compliance, it may be advisable to take the following actions: 

First, determine whether your organization’s activities bring it within the scope of the GDPR; if yes, the next action is to identify your organization’s staff members who have most knowledge about what personal data is received from individuals in the EEA (HR, membership, recruitment, etc.) and determine how much personal data is being collected, and how it is being used.  

Second, prepare an action plan to identify what internal and external policies need to be adopted, and to identify which agreements (with staff, members, vendors, etc.) need to be amended, for compliance with the GDPR. Depending on the amount of personal data collected and the extent of how it is used, this step may require assistance from legal counsel.  

Finally, identify technological safeguards that may need to be adopted, such as abandoning use of personal emails and personal laptops for work purposes. GDPR compliance will be an ongoing process for years to come and beginning with these steps is a good start, as it could demonstrate good faith efforts toward compliance.

As is the case with privacy laws in the United States, becoming compliant with the GDPR does not eliminate an organization’s liability in the event of data breach.  As such, it is strongly advisable to obtain cybersecurity insurance coverage to mitigate risk exposures.  Our firm’s cybersecurity practice group will be working on identifying reliable privacy practitioners and consultants, including cybersecurity insurance brokers, to assist firm clients with a more comprehensive GDPR compliance plan.