General Data Protection Regulation

The General Data Protection Regulation (“GDPR”), which came into law in the European Union on May 25, 2018, has received intense coverage across the non-profit sector and mainstream press. The rationale behind the changes to the existing data protection regime was to bring aging data collection practices up-to-date and incorporate data protection, privacy mandates and best practices.

Though the United Kingdom (“UK”) left the European Union (“EU”), the GDPR is retained in UK domestic law. The UK GDPR absorbs the privacy compliance requirements of the EU GDPR and sits alongside the UK’s Data Protection Act 2018. All references to “the GDPR” in this resource refer to both the EU GDPR and the UK GDPR.

At Blackbaud, data protection and privacy are a priority. We continue to design new functionality that marry data compliance with fundraising best practice, and our new communication preference management features are designed to provide organizations with the tools they need to ensure their data collection and usage practices meet the requirements of the GDPR, as part of your compliance process.

If you are an EU or UK organization, please refer to our Collecting Consent Customer Hub for more information and GDPR resources.

If you are an organization outside of the EU or UK, please refer to our FAQ below to find out more information about the GDPR and whether you could be subject to it.

GDPR for Organizations Outside of the EU or UK

While the GDPR is a EU and UK privacy law, organizations outside of the EU or UK can also be subject to the GDPR. We have prepared a FAQ to help answer the often-complex questions surrounding GDPR compliance and developed a comprehensive set of resources to assist you in your GDPR compliance practices, should you determine that your organization needs to comply.

What is the GDPR?

The GDPR is a law in both the EU and the UK that has been enforceable from May 25, 2018. It is designed to both strengthen and harmonize data protection across EU member states and the UK, and ensure organizations treat the personal data of individuals—supporters, customers, donors and constituents—with more respect and ultimately strengthen trust between organizations and individuals. Though the UK left the EU, the GDPR is retained in UK domestic law. The UK GDPR absorbs the privacy requirements of the EU GDPR and sits alongside the UK’s Data Protection Act 2018. All references to “the GDPR” in this resource refer to both the EU GDPR and the UK GDPR.

Who does the GDPR apply to?

The GDPR applies to any organization processing (collecting, recording, storying, using, disclosing, etc.) an individual’s personal data if the organization is either established in the EU or UK, targeting in the EU or UK, monitoring EU or UK residents or performing these tasks as obligated via contract. Such organizations that are subject to the GDPR and collect, store or process personal data must comply with the GDPR’s Data Protection Principles and other conditions of processing. The GDPR makes no distinction between non-profit or for-profit organizations.

Does the GDPR only apply to EU organizations?

No. Organizations outside of the EU and UK can also be subject to the GDPR if they hold or process personal data of EU or UK citizens—regardless of whether the company is based in the EU or UK or not—but only if they’re actively targeting EU or UK residents by taking steps like using an EU or UK language or currency or specifically advertising in the EU or UK. Blackbaud cannot determine whether or not your organization must comply with the GDPR.

Could my organization be subject to the GDPR?

You could be subject to GDPR if your organization is:

  1. Established in the EU or UK
    • GDPR applies to controllers or processors established in the EU or UK, regardless of where the processing occurs.
    • Established can be legal organization or where the processor exercises any real or effective activities through a stable arrangement in the EU or UK.
  2. Targeting in the EU or UK
    • Not established in the EU or UK, but processing is related to offering goods or services to people in the EU or UK.
    • The processor must be taking actions to target EU or UK residents, like using an EU or UK language or currency, advertising in the EU or UK, using EU or UK country top-level domain name etc.
  3. Monitoring EU or UK Residents
    • Not established in the EU or UK but processing is related to monitoring the behavior of people in the EU or UK.
    • Monitoring is tracking individuals on the internet for purpose of analysis, including making user profiles to make decisions or predicts behaviors.
  4. Obligated via Contract
    • Not covered by the three points outlines above but is contractually obligated to comply with GDPR.
    • Organizations not subject to GDPR may agree to process data in accordance with its provisions.

How can I check if my organization is legally subject to the GDPR?

If you believe your organization could be subject to the GDPR, it is best to work with your legal advisor, who is familiar with your practices and constituents, to determine your obligations under existing laws. While the information provided herein is reliable, it does not constitute legal advice and should not be construed as legal advice or legal opinion.

What are the GDPR data protection principles?

The data protection principles in the GDPR remain largely unchanged from those contained in the EU’s Data Protection Directive , 1995 Directive 95/46/EC and the UK’s Data Protection Act of 1988. They feature prominently in the GDPR as the main tenets of data protection and privacy.

  • Lawfulness, fairness and transparency: Processing must be lawful, fair and transparent.
  • Purpose limitation: Personal data must be collected for specified, explicit and legitimate purposes and not further processed in an incompatible way.
  • Data minimization: Personal data must be adequate, relevant and limited to what is necessary to achieve the purposes for which it was collected.
  • Accuracy: Personal data must be accurate and kept up to date and collector must take reasonable steps to rectify or erase inaccurate data.
  • Storage Limitation: Personal data must not be kept in identifiable form for longer than necessary.
  • Integrity and confidentiality: Personal data must be processed in a way that ensures security of the data and protects it from unauthorized use.
  • Accountability: Controllers must demonstrate compliance with the Principles.

If I am an organization outside of the EU or UK and subject to the GDPR, do I need to apply the GDPR compliance and consent practices to my full constituent base or to only those individuals in the EU or UK?

If you are subject to the GDPR, you are only able to process data of individuals in the EU or UK in compliance with the GDPR (see following question below).

In regard to applying the GDPR compliance practices to your constituents located outside of the EU or UK (for example such as those in North America), we cannot provide a definitive answer to that. However, as the industry becomes more stringent on security and compliance, ensuring proper consent of personal data is a best practice in general. You should confer with your Data Protection Officer or legal advisors to determine what your best practices and process should be here.

What are the 6 legal bases for processing data?

While much of the focus of the GDPR is on opt-in consent, there remain six lawful bases under which you can process data. You must decide which legal basis you are relying on for processing personal data for each of your activities and clearly document this. Aside from processing based on consent, the GDPR provides that processing personal data can be lawful if it is necessary for the performance of a contract, to comply with a legal obligation, to protect a person’s vital interests, for the performance of a task carried out in the public interest or in the exercise of controller’s official authority, or for legitimate interests of the controller.

What is Blackbaud’s role in relation to the GDPR?

Blackbaud is fully committed to data protection and ensuring our solutions are optimized for data compliance with fundraising best practice. We have consulted with a wide range of data protection authorities, customers, legal counsel and product development leadership and have continued to work on ways to improve the user experience in our solutions, specifically in regard to the capture, recording and use of your supporters’ consent.

In many of our solutions, new communication preference management features have been released. In addition, for several other solutions we provided How-To Guides with recommendations on how to use existing product capabilities to capture consent. While we do not guarantee that the use of these features or documentation make an organization GDPR compliant, these tools are designed to assist with the compliance process.

How do I upgrade to the latest version of my Blackbaud solution to harness these new features?

For Blackbaud products updated with new features, if you are on a Blackbaud cloud or hosted solution and Blackbaud delivers updates for you, you will be able to leverage market-leading communication preference management, in accordance with GDPR requirements, as soon as the features are available. If you determine the upgrade schedule of your Blackbaud solutions, you will need to upgrade to the latest version of your products to avail of these new features.

If I upgrade to the latest version of my solution and make use of the new communication preference management features, will I be GDPR compliant?

No, simply upgrading does not make your organization compliant. The onus is on your organization’s internal data management practices to ensure compliance. Blackbaud’s new features are designed to assist your organization in your compliance efforts, such as enabling you to collect and evidence opt-ins and opt-outs in a GDPR-compliant way.

Where can I learn more about the GDPR and collecting consent?

Blackbaud has developed additional resources to support your organization’s GDPR compliance practices which can be found on our GDPR hub: