General Data Protection Regulation

Data protection laws across Europe are undergoing their first substantial changes in approximately 20 years. The General Data Protection Regulation (GDPR), due to come into law on May 25, 2018 is at the center of the change and has received intense coverage across the non-profit sector and mainstream press. The rationale behind the changes is to bring aging data collection practices up-to-date and incorporate data protection, privacy mandates and best practices.

At Blackbaud, data protection and privacy are a priority. We continue to design new functionality that marry data compliance with fundraising best practice, and our new communication preference management features are designed to provide organizations with the tools they need to ensure their data collection and usage practices meet the requirements of GDPR, as part of your compliance process.

If you are an EU organization, please refer to our Collecting Consent Customer Hub for more information and GDPR resources.

If you are an organization outside of the EU, please refer to our FAQ below to find out more information about GDPR and whether you could be subject to it.

GDPR for Organizations Outside of the EU

While the GDPR is a European Union (EU) privacy law, organizations outside of the EU can also be subject to the GDPR. We have prepared a FAQ to help answer the often-complex questions surrounding GDPR compliance and developed a comprehensive set of resources to assist you in your GDPR compliance practices, should you determine that your organization needs to comply.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a European Union (EU) legislation that will be enforceable from May 25, 2018, replacing the aging Data Protection Act (DPA). It is designed to both strengthen and harmonize data protection across EU member states, and ensure organizations treat the personal data of individuals—supporters, customers, donors and constituents­­—with more respect and ultimately strengthen trust between organizations and individuals.

Who does the GDPR apply to?

The GDPR applies to any organization processing (collecting, recording, storying, using, disclosing, etc.) an individual’s personal data if the organization is either established in the EU, targeting in the EU, monitoring EU residents or performing these tasks as obligated via contract. Such organizations that are subject to the GDPR and collect, store or process personal data must comply with the GDPR’s Data Protection Principles and other conditions of processing. The GDPR makes no distinction between non-profit or for-profit organizations.

Does the GDPR only apply to EU organizations?

No. Organizations outside of the EU can also be subject to the GDPR if they hold or process personal data of EU citizens—regardless of whether the company is based in the EU or not—but only if they’re actively targeting EU residents by taking steps like using an EU language or currency or specifically advertising in the EU. Blackbaud cannot determine whether or not your organization must comply with GDPR.

Could my organization be subject to the GDPR?

You could be subject to GDPR if your organization is:

  1. Established in the EU
    • GDPR will apply to controllers or processors established in the EU, regardless of where the processing occurs.
    • Established can be legal organization or where the processor exercises any real or effective activities through a stable arrangement in the EU.
  2. Targeting in the EU
    • Not established in the EU, but processing is related to offering goods or services to people in the EU.
    • The processor must be taking actions to target EU residents, like using an EU language or currency, advertising in the EU, using EU country top-level domain name etc.
  3. Monitoring EU Residents
    • Not established in the EU but processing is related to monitoring the behavior of people in the EU.
    • Monitoring is tracking individuals on the internet for purpose of analysis, including making user profiles to make decisions or predicts behaviors.
  4. Obligated via Contract
    • Not covered by the three points outlines above but is contractually obligated to comply with GDPR.
    • Organizations not subject to GDPR may agree to process data in accordance with its provisions.

How can I check if my organization is legally subject to the GDPR?

If you believe your organization could be subject to the GDPR, it is best to work with your legal advisor, who is familiar with your practices and constituents, to determine your obligations under existing laws. While the information provided herein is reliable, it does not constitute legal advice and should not be construed as legal advice or legal opinion.

What are the GDPR data protection principles?

The data protection principles in the GDPR remain largely unchanged from those contained in the UK’s Data Protection Act of 1988. They feature prominently in the GDPR as the main tenets of data protection and privacy.

  • Lawfulness, fairness and transparency: Processing must be lawful, fair and transparent.
  • Purpose limitation: Personal data must be collected for specified, explicit and legitimate purposes and not further processed in an incompatible way.
  • Data minimization: Personal data must be adequate, relevant and limited to what is necessary to achieve the purposes for which it was collected.
  • Accuracy: Personal data must be accurate and kept up to date and collector must take reasonable steps to rectify or erase inaccurate data.
  • Storage Limitation: Personal data must not be kept in identifiable form for longer than necessary.
  • Integrity and confidentiality: Personal data must be processed in a way that ensures security of the data and protects it from unauthorized use.
  • Accountability: Controllers must demonstrate compliance with the Principles.

If I am an organization outside of the EU and subject to the GDPR, do I need to apply the GDPR compliance and consent practices to my full constituent base or to only those individuals in the EU?

If you are subject to the GDPR, after May 2018 you will only be able to process data of individuals in the EU in compliance with the GDPR (see following question below). If you’re relying on opt-in consent as your legal basis for data processing under the GDPR, you will have needed to collect that consent before May 2018.

In regard to applying the GDPR compliance practices to your constituents located outside of the EU (for example such as those in North America), we cannot provide a definitive answer to that. However, as the industry becomes more stringent on security and compliance, ensuring proper consent of personal data is a best practice in general. You should confer with your Data Protection Officer or legal advisors to determine what your best practices and process should be here.

What are the 6 legal bases for processing data?

While much of the focus of the GDPR is on opt-in consent, there remain six lawful bases under which you can process data. You must decide which legal basis you are relying on for processing personal data for each of your activities and clearly document this. Aside from processing based on consent, GDPR provides that processing personal data can be lawful if it is necessary for the performance of a contract, to comply with a legal obligation, to protect a person’s vital interests, for the performance of a task carried out in the public interest or in the exercise of controller’s official authority, or for legitimate interests of the controller.

What is Blackbaud’s role in relation to the GDPR?

Blackbaud is fully committed to data protection and ensuring our solutions are optimized for data compliance with fundraising best practice. We have consulted with a wide range of data protection authorities, customers, legal counsel and product development leadership since March 2016, and have continued to work on ways to improve the user experience in our solutions, specifically in regard to the capture, recording and use of your supporters’ consent.

In many of our solutions, new communication preference management features have begun to be released (beginning in Q4 2017 and continuing into 2018). In addition, for several other solutions we are providing How-To Guides with recommendations on how to use existing product capabilities to capture consent. While we do not guarantee that the use of these features or documentation make an organization GDPR compliant, these tools are designed to assist with the compliance process.

What communication preference management features are going to be released in which products?

To find out more information on what features are being released in which releases of products, please view our product documentation here.

How do I upgrade to the latest version of my Blackbaud solution to harness these new features?

For Blackbaud products that are being updated with new features, if you are on a Blackbaud cloud or hosted solution and Blackbaud delivers updates for you, you will be able to a leverage market-leading communication preference management, in accordance with GDPR requirements, as soon as the features are available. If you determine the upgrade schedule of your Blackbaud solutions, you will need to upgrade to the latest version of your products to avail of these new features.

If I upgrade to the latest version of my solution and make use of the new communication preference management features, will I be GDPR compliant?

No, simply upgrading does not make your organization compliant. The onus is on your organization’s internal data management practices to ensure compliance. Blackbaud’s new features are designed to assist your organization in your compliance efforts, such as enabling you to collect and evidence opt-ins and opt-outs in a GDPR-compliant way.

Where can I learn more about the GDPR and collecting consent?

Blackbaud have developed a comprehensive library of resources to support your organization’s GDPR compliance practices which can be found on our GDPR hub: