Six months after implementation of the European Union’s General Data Protection Regulation (“GDPR”),¹ many charitable organizations are still struggling with compliance. Our pro bono clients frequently ask whether consent is now required to send solicitations or communications via email to donors or potential donors. Before addressing that discrete question, here are some key GDPR principles that apply to non-profit organizations:
What is personal data? Personal data encompasses any information that may directly or indirectly identify an individual (for example, a name is a direct identifying element, while a date of birth, email address, phone number, home address, or photo is an indirect identifying element).² Personal data also includes information about the characteristics of an individual (hobbies for instance), opinions of a person, and online identifiers (cookies, IP address). Because the definition of personal data is so broad, all charitable organizations process personal data.
What is data processing?³ Processing is defined very broadly in the GDPR and includes the collection, recording, storage, adaptation, use, erasure, and mere consultation of personal data.