{"id":14215,"date":"2019-11-15T14:48:11","date_gmt":"2019-11-16T02:48:11","guid":{"rendered":"https:\/\/sfwpartnersllc.com\/?p=14215"},"modified":"2019-11-15T14:48:11","modified_gmt":"2019-11-16T02:48:11","slug":"how-the-eus-data-protection-regulations-might-affect-u-s-nonprofits","status":"publish","type":"post","link":"https:\/\/www.sfw.cpa\/news-and-guides\/how-the-eus-data-protection-regulations-might-affect-u-s-nonprofits\/","title":{"rendered":"How the EU\u2019s Data Protection Regulations Might Affect U.S. Nonprofits"},"content":{"rendered":"<p><html><head><\/head><body><\/p>\n<p><img decoding=\"async\" src=\"http:\/\/s3.amazonaws.com\/snd-store\/a\/41193390\/11_06_19_961637348_npb_560x292.jpg\" \/><\/p>\n<p>Your not-for-profit may have paid little attention to the European Union\u2019s (EU\u2019s) General Data Protection Regulation (GDPR), which took effect May 25, 2018. The GDPR revises standards for privacy rights, information security and compliance in the EU. Yet it might also apply to U.S.-based organizations, such as your not-for-profit.<\/p>\n<p><strong>Big steps beyond<\/strong><\/p>\n<p>GDPR requirements are comprehensive and go far beyond existing U.S. privacy standards. They address:<\/p>\n<ul>\n<li>Data security and data governance,<\/li>\n<li>Consent to processing,<\/li>\n<li>Mandatory breach notification,<\/li>\n<li>Access to personal data and data erasure (the right to be \u201cforgotten\u201d),<\/li>\n<li>Data portability, and<\/li>\n<li>Cross-border data transfers.<\/li>\n<\/ul>\n<p>Organizations must notify the appropriate EU authority within 72 hours after becoming aware of a data breach. By contrast, U.S. states\u2019 breach notification laws require notification \u201cwithout unreasonable delay,\u201d with the shortest timing at 30 days, while the Health Information Portability and Accountability Act (HIPAA) allows 60 days.<\/p>\n<p>The regulations define \u201cpersonal data\u201d broadly to include such identifiers as name, address, Social Security or tax identification number, and email address. Location data and online identifiers such as cookies or IP addresses are also considered personal data.<\/p>\n<p>Notably, GDPR rules apply to entities outside the EU that process or hold the personal data of \u201cdata subjects\u201d who are physically in the EU. It doesn\u2019t matter where the processing takes place or whether the subjects are EU residents.<\/p>\n<p><strong>Rights of individuals<\/strong><\/p>\n<p>To comply with the GDPR, your nonprofit must obtain consent from individuals to collect their personal data. This means the person takes affirmative action, such as clicking on an \u201cI agree\u201d statement, and the personal data you already possess isn\u2019t \u201cgrandfathered in.\u201d You must obtain consent on that data or purge it completely from your systems (including employees\u2019 spreadsheets and Outlook contact lists).<\/p>\n<p>You also must disclose to individuals the data you collect on them upon request, so you\u2019ll need to keep close track of such information. And if individuals ask to be forgotten, you must delete all of their data or anonymize it.<\/p>\n<p><strong>Proceed with caution<\/strong><\/p>\n<p>A serious violation of the GDPR can bring a penalty as high as 20 million euros (about $23 million) or 4% of the violator\u2019s annual revenue. Questions remain about enforcement in the United States, but that\u2019s no excuse not to abide by the rules and develop a compliance plan now. Contact us if you have questions.<\/p>\n<p>\u00a9 <em>2019<strong><\/strong><\/em><\/p>\n<p><\/body><br \/>\n<\/html><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Your not-for-profit may have paid little attention to the European Union\u2019s (EU\u2019s) General Data Protection Regulation (GDPR), which took effect May 25, 2018. The GDPR revises standards for privacy rights, information security and compliance in the EU. Yet it might also apply to U.S.-based organizations, such as your not-for-profit. Big steps beyond GDPR requirements are [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15],"tags":[],"class_list":["post-14215","post","type-post","status-publish","format-standard","hentry","category-not-for-profit"],"_links":{"self":[{"href":"https:\/\/www.sfw.cpa\/news-and-guides\/wp-json\/wp\/v2\/posts\/14215","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sfw.cpa\/news-and-guides\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sfw.cpa\/news-and-guides\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sfw.cpa\/news-and-guides\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sfw.cpa\/news-and-guides\/wp-json\/wp\/v2\/comments?post=14215"}],"version-history":[{"count":0,"href":"https:\/\/www.sfw.cpa\/news-and-guides\/wp-json\/wp\/v2\/posts\/14215\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.sfw.cpa\/news-and-guides\/wp-json\/wp\/v2\/media?parent=14215"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sfw.cpa\/news-and-guides\/wp-json\/wp\/v2\/categories?post=14215"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sfw.cpa\/news-and-guides\/wp-json\/wp\/v2\/tags?post=14215"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}