General Data Protection Regulation (GDPR)
The EU’s General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, is designed to protect the privacy and personal data of individuals within the European Union. It regulates how organizations, including charities, fundraising agencies, and software companies, must handle personal data such as names, email addresses, and donation histories.
The following key guidelines apply:
-
Consent: Organizations must obtain explicit consent from individuals before collecting or using their personal data for fundraising, marketing, or other purposes.
-
Transparency: Clear communication about how data is used, stored, and processed must be provided to donors and supporters.
-
Right to Access and Erasure: Donors have the right to access their data and request its deletion (the "right to be forgotten").
-
Data Security: Charities, agencies, and software providers are responsible for securing personal data against breaches and must report any breaches within 72 hours.
GDPR gives individuals more control over their data and imposes strict penalties for non-compliance. Any organization that handles and processes personal data is required to adhere to strict data and permission practices concerning the collection and use of personally identifiable information (PII).
For example, GDPR mandates that any organization outsourcing personal data processing (such as fundraising data) to a third party must establish a Data Processing Agreement (DPA), ensuring that both parties comply with the regulation.