The New EU Privacy Rules – What You Should Know
Barbara A. Miller, CPA
Data Protection Regulations Include U.S. Not-for-Profits
Most U.S. not-for-profits have paid little attention to the European Union’s (EU’s) General Data Protection Regulation (GDPR), which took effect May 25, 2018. The GDPR revises the standards for privacy rights, information security and compliance in the EU. But, because the GDPR applies to all organizations — inside and outside the EU — that access or process data about persons in Europe, unsuspecting U.S. organizations could fall under these requirements.
The regulation’s requirements are much stricter than any existing U.S. privacy standards. For example, they define “personal data” to include a wide range of personal identifiers, including name, address, Social Security or identification number, email addresses, location data and online identifiers such as cookies or IP addresses. With such a broad definition, odds are that your organization collects at least some data subject to the rules.
It is important to note that the GDPR applies to companies outside the EU that process or hold the personal data of “data subjects” (defined as identifiable natural persons) who are physically in the EU. It does not matter where the processing takes place or whether the subjects are EU residents.
The GDPR establishes strict requirements for how organizations must manage personal data. Among other topics, it includes provisions related to:
- Data security and data governance, including the mandatory appointment of a data protection officer in certain circumstances;
- Consent to processing;
- Mandatory breach notification within 72 hours of discovery;
- Access to personal data and data erasure (the “right to be forgotten”);
- Data portability; and
- Cross-border data transfers.
Rights of Individuals
The most notable provisions for not-for-profits address consent, disclosure and the right to be forgotten. The GDPR requires organizations to obtain consent from individuals to collect their personal data. You cannot just add new donors’ email addresses to your system or require them to opt out of communications.
Instead, consent requires an affirmative action by the individual, such as clicking on an “I agree” statement, and the personal data you already possess is not grandfathered in. You must obtain consent on that data or purge it completely from all your systems (including employees’ spreadsheets and Outlook contact lists).
You also must disclose to individuals the data you collect on them on request, so you will need to keep close track of such information. And if an individual asks to be forgotten, you must delete all of his or her data or anonymize it, across all departments and, where applicable, with third-party vendors that have had access to the data.
Proceed with Caution
A serious violation of the GDPR can bring a penalty as high as 20 million euros (about $23 million) or 4% of the violator’s annual revenue, whichever is higher. While questions remain about enforcement in the United States, it is certain that few not-for-profits could survive such a hit. You need to determine whether your organization’s practices abide by the rules and develop a compliance plan for employees, volunteers and third-party vendors.
Harry Fox, CPA
Senators Pursue Charitable Giving Data
Will the recent federal tax overhaul hurt charitable giving? Two U.S. senators want an answer in hard facts. Sens. Chris Coons (D-Del.) and James Lankford (R-Okla.) have sent the Trump administration a letter asking it to provide available data on charitable deductions in 2018. They note that the Tax Cuts and Jobs Act’s near doubling of the standard deduction changes the incentives for taxpayers to itemize and claim the charitable deduction.
The senators also cite two nonpartisan think tanks that estimate this could result in a drop in charitable giving of 4-5%. In addition to currently available data, the senators requested quarterly data on the number of charitable deductions claimed, the average size of donations and, when available, a comparison to the previous ten years.
Cryptocurrency Campaign Launched
The largest independent evaluator of U.S. not-for-profits has launched a campaign to accept donations made with Bitcoin and BitCash cryptocurrency as charitable gifts. Like the organizations it reports on, Charity Navigator is a not-for-profit, supported mainly by individual donors. Its decision to accept cryptocurrency may indicate that not-for-profits are starting to recognize blockchain technology (a public digitized ledger or database in a cryptocurrency network, which unalterably records and shares secure information) as another viable channel for social investors to make tax-deductible donations.
Wealthy Investors Leverage New Tax Law to Cut Taxes, Fight Poverty
Some little-publicized provisions of the Tax Cuts and Jobs Act (TCJA) are prompting investors to join the battle against poverty. The TCJA establishes Qualified Opportunity Zones (QOZs) within low-income communities. There, investors can fund development and redevelopment projects by reinvesting their profits that are short- and long-term capital gains. In addition to deferring the tax on their current investment gains, the investors will see taxes due on them gradually reduced over time as investors obtain incremental steps-up in basis.
Some billionaire philanthropists are already jumping in. In North Charleston, SC, for example, real estate investors are rehabbing an abandoned school into a tech incubator, with backing from venture capital firms.
How NFPs Communicate
A new study released by Nonprofit Marketing Guide, a communications consultant for not-for-profits, digs into recent developments in not-for-profit communications. The 2018 Nonprofit Communications Trends Report finds, among other things, that on average, not-for-profits send out two print newsletters, three print appeals and eight press releases in a year. Half of not-for-profits use editorial calendars and editorial meetings, and about two-thirds repurpose content. Effective not-for-profit communicators are even more likely to use calendars, meetings and repurposed content. Only one-third of less-effective not-for-profit communicators employ such best practices.