Is Your Organization Ready for GDPR?

The General Data Protection Regulation, or GDPR, went into effect on May 25, 2018 and many nonprofit organizations don’t realize they could be impacted. The GDPR is a set of laws enacted by the European Union (EU) to protect individual rights to privacy and control over personal data. 

Contrary to popular belief, GDPR affects any organization that does business with the EU, regardless of whether they are based in Europe or not. This includes organizations that:

  • Have an office in the EU,
  • Serve people in EU countries, or
  • Have websites that track personal data like IP addresses and include visitors from the EU

If affected, organizations are expected to comply with the GDPR regulations which include:

  1. Right of Access: If someone from the EU asks to access their personal data, the organization must provide it within 72 hours.
  2. Right of Erasure: If someone from the EU asks to have all their data erased, the organization must comply with this request.
  3. Consent: The individual must give their consent for data collection and the purposes for which the data will be used.
  4. Responsibility and Accountability: The organization must assign a Data Protection Officer (DPO) who is responsible for GDPR compliance. The DPO should have expertise in the areas of national and European data protection law, GDPR, and the organization’s information technology systems and data security.
  5. Data Breaches: The organization has 72 hours to report any data breaches to the appropriate authorities.

Failure to comply with the regulations may result in fines of up to $23.2 million or 4% of the organization’s worldwide annual revenue, whichever is greater.

How can organizations assure they are in compliance with GDPR? Steps to take will vary based on the level of exposure to GDPR. For organizations operating in or serving citizens in the EU, the risk is higher and legal counsel is recommended. For organizations that may be affected by GDPR through website traffic, Five Q, a digital services company that specializes in nonprofits, and its software solution Journity, offer 5 Action Steps to help organizations move toward GDPR compliance. To download Journity’s free GDPR Guide for Nonprofits, which includes the action steps as well as other helpful information, click here.

With several widespread data breaches occurring recently in the US, including the high-profile Facebook breach, legislation similar to GDPR may be on the horizon in the United States. ECFA will continue to monitor this issue and report any updates that may further affect churches and nonprofits.


This text is provided with the understanding that ECFA is not rendering legal, accounting, or other professional advice or service. Professional advice on specific issues should be sought from an accountant, lawyer, or other professional.


Follow @ecfa