In this three-part article, we are examining the laws, regulations, and procedures that should be considered by nonprofits in the collection and management of the data they collect and store.

In the first part of this three-part article, we introduced three legal frameworks that nonprofit organizations should be acquainted with if they collect and manage confidential information from donors, volunteers, staff, and clientele (most do, of course).

The first was the Telephone Consumer Protection Act (TCPA), which regulates solicitations via phone and text. In the second part, we discussed the laws that govern data protection and data breaches.

Here, in the third and final part of the series, the concept and details of general data protection regulation (GDPR) will be introduced and discussed.

What is General Data Protection and Regulation?

In a world increasingly focused on digital communications, personal data, and economic data, the GDPR is probably seriously overdue. It is an over-arching philosophy or approach designed for use in the European Union to give citizens more control over their own personal data and the way it is used by organizations (both private and governmental). Some would call it a new approach to online data use and storage, others would say it's more of a set of reforms that modify old ways of doing business. In any case, one goal of GDPR is also to simplify the regulatory and legal framework for agencies and businesses that work with consumer data (which, let's admit, is almost all agencies and businesses). Thus, GDPR is designed to make digital communications and commerce easier for businesses and safer for ordinary citizens.

Simply put, the GDPR is a single set of regulations that mandates that companies and agencies must, under threat of penalties:

1. Gather data legally and under conditions that protect it from misuse, theft, and exploitation.

2. Respect the rights of the data owners.

3. Notify data owners if their data has been breached.

Why is the GDRP important?

The GDPR was designed to bring all regulatory and legal factors under one relatively simple framework, but it was also intended to blaze a new legal pathway into the world we currently find ourselves in, one in which data collection, usage, and analysis are ubiquitous among organizations of all kinds and for all individuals. Almost every aspect of our lives is now very likely to utilize, require, or collect data from us--from social media, commerce, banking, and our relationship to government agencies. The GDPR was meant to simplify the legal reality of this while also protecting citizens and consumers from abuse, scams, unauthorized data access, unethical practices, and similar unwanted data-related outcomes.

Therefore, although the GDRP is a legal and regulatory framework created for use in the European Union, some similar form of overarching legislation is likely to take hold in most countries, including the United States. One way to get ahead of this new, informed, advanced set of data collection and management procedures would be to become familiar with the GDRP and adopt (in principle, at least) its major components.

‍