Have you noticed a recent influx of messages in your inbox alerting you to changes in company privacy policies and requests to confirm email subscriptions? It is likely those alerts are connected to the General Data Protection Regulation (GDPR) - the new privacy law in the European Union (EU).

After four years of preparation, changes to the EU's data protection regulations were approved in April 2016 and took effect on May 25, 2018.

Replacing the EU's previous data protection directive written in the mid-90s, GDPR imposes new rules on companies, government agencies and nonprofits, among others. The requirements address enhanced security, technical and organizational measures, transparency, record keeping and accountability.

As Philanthropy News Digest reports, the rules affect organizations that offer goods and services to people in the EU or that collect, store and analyze data tied to EU residents, regardless of where the organization itself is located.

"The average person will have more explicit rights under GDPR to know who stores, processes and has access to their personal data. Under GDPR, EU residents can request access to, rectification of and deletion of their data."

Consequences for noncompliance are steep, with fines up to 4% of the company's global revenue (up to approximately $26.8 million).

What the GDPR Changes Mean for Michigan

CMF members who work internationally and interact with data belonging to EU residents should be taking steps to meet the GDPR requirements by adjusting data policies and practices, notifying constituents of the changes being made and seeking new approvals, as needed.

Foundations with no direct data connection to the EU should also consider paying close attention to the changes.

"Many nonprofit organizations collect a lot of personal data such as names, addresses, emails and social media posts," Tal Frankfurt, founder and CEO, Cloud for Good said in highlighting the impact of GDPR in the U.S. "This data could be collected from donors, constituents, volunteers, vendors or even those who are only interested in following what your organization does. It does not need to be related to any financial information or even related directly to the services your organization provides."

Some consider the new data protection laws in the EU a global best practice and advise all organizations to take the opportunity to review and update their policies.

“Charities with bad security practices, bad habits like pre-checked boxes as ‘consent’ and inadequate information about the sources of and use of data should very carefully consider the reputational cost of failing to update their practices,” said Joe McNamee, executive director, European Digital Rights (EDRi).

Microsoft's Nonprofit Guidelines for Cybersecurity and Privacy highlights a similar need for change.

"Nonprofits have increasingly adopted technology to improve their effectiveness and to scale their services to extend their reach. Yet many nonprofit organizations have struggled to focus the same attention on their cybersecurity and data protection planning. This lack of attention could expose nonprofits to potential (and expanding) security and regulatory risks that most nonprofits simply cannot afford."

The U.S. may not be far behind the EU in making changes to data privacy laws. Taking time to proactively review and revise existing practices now may reduce the impact of a future legislative change in the U.S.

In the meantime, the United Kingdom's Information Commissioner’s Office (ICO), an independent regulatory office in charge of upholding information rights in the interest of the public, has outlined "12 steps to take now" to prepare for regulation changes.

Want more?

Read the ICO overview on GDPR.

Access ICO's list of 12 steps to take now.