A Complete Guide to European Privacy Laws

What every NGO needs to know

The new regulations coming out of the European Union regarding privacy have been generating certain
amount of fear for many NGOs. With thousands of pages of legal jargon, it is difficult to understand the
scope of the new law and what, if any, changes your organization needs to make. Outlined below are
some helpful tools and resources that will improve your understanding of the new law.

What is it?
GDPR or the EU General Data Protection Regulation was put into force on May 25th, 2018. The new law
requires that any organization, company or entity collecting data on EU citizens must comply with the
regulation. This means that even organizations with no physical presence within the European Union are
required to comply. The most important sections of the GDPR are rights of data subjects, data
processing, liability, and third-party transfers.

1. Rights of Data Subjects- The rights of data subjects section of the provision is arguably the most wide-
ranging chapter. In compliance with the new law, organizations must provide a simple avenue for data
subjects to completely erase themselves and prevent any further collection of data by an organization.
This section is commonly referred to as “the right to be forgotten.” The data subject also has the right to
request an electronic copy of any and all information that is being stored and collected on them.
Additionally, anywhere that personal information is being requested, contact information and a privacy
policy must be provided. All in all, this section gives the data subjects the right to hold data collectors
accountable for their actions.

2. Data Processing- Much of the data processing section is focused on data security and transparency.
The data collectors are further held responsible for what happens to personal information once it is
collected and for having a comprehensive and jargon free privacy policy. The privacy policy must clearly
state what information is being collected, why it is being collected and with whom it is being shared.
Data processors are also held responsible for the integrity and confidentiality of information as it is
being processed. Data centers and databases are expected to be secured to the highest standards
possible and if any data is compromised for any reason, the data collector must notify all individuals
affected by the problem within 72 hours of becoming aware that data was compromised.

3. Liability- This section outlines more rights given to the data subjects such as complaint and
prosecutorial protocol and penalties for organizations who violate the law. Data subjects have the right
to submit a complaint against an organization that they believe has violated the rules of this regulation.
Upon notification of a perceived wrongdoing, there will be an investigation. Pending the investigation,
the individual has the right to press charges and receive appropriate compensation.

4. Third-Party Transfers- Most organizations use third party data processors to assist in management,
analysis and storage of data. Third-party refers to any company, website or other non-affiliated resource
that does not fall under your control. The new law gets rid of the “passing of the buck” loophole used by
many data collectors in the past. The organization that does the initial collecting of data is now
responsible for what happens to that data even after it leaves their network or facility. If the data is

2
www.fundsforngos.org
crossing international borders or going into an international organization, the data collector must ensure
that that state or organization has acceptable privacy laws in place before the data is transferred.

What has changed?

The GDPR changes many norms in the world of data collection and it is important to know just which
changes are the most important.

1. No jargon- The language states very clearly that organizations may no longer hide behind a lengthy
legal document outlining their policies. Privacy statements, terms of use, and terms of service must be in
plain language without any confusing legal terms.

2. Easy opt-out- It must be easier for someone to opt-out of your service than it is for them to opt-in.
For example, any organizations that use email subscriptions and/or newsletters must provide a one-click
opt-out button in each email. Additionally, the customer must choose to receive notifications from the
organization and not be automatically opted-in by visiting the website or attending an event.

3. Right to be Forgotten- As explained above, the right to be forgotten gives the data subject the right to
be completely erased from an organization. Previously, organizations could keep data for as long as they
wish, long after that data had any particular use for them, and long after the data subject would be
using the services provided. The new regulation makes it harder for organizations to keep data for the
sake of keeping it and allows the individual to specifically request it be deleted.

4. Full Disclosure- Data collectors are now required to be very transparent about what they are using
personal information for. The privacy statement needs to be readily available and should say exactly
when data is collected, what data is being collecting and why it is collected and stored.

What will I need to do to comply?

Depending on what country your NGO is based out of, you may face a varying degree of change.
Organizations based in countries with strict privacy laws in place may already be in compliance with the
GDPR. The best way to ensure that your organization is prepared is to closely examine your privacy
policy and ensure that it clearly states what, where and why data is being collected. The next step would
be to examine what data is being collected and ensure that no data is being stored after the data subject
has opted out of the service. Lastly, ensure that your data subjects are aware of any changes made to
your privacy policy and have a clear path to get in contact with the organization and opt out of your
services.

Frequently Asked Questions

1. What if I do not comply? If you are caught breaking the rules of this regulation, your organization can
be fined up to 20 million euros or 4% of the past years’ revenue, whichever is higher. This is the upper
tier of fines but the fines charged for even smaller violations are nothing to ignore. Your best bet is to
put the time in now and ensure all of your operations are in compliance with the law.

3
www.fundsforngos.org
2. I do not operate at all in the EU, do I still have to comply? The scope of the GDPR has been extended
to any organization that collects data on any EU member states’ citizens, regardless of home state. If
you are not based in the EU and absolutely do not have any contact with EU citizens you do not have to
comply. However, many of the changes are aimed at larger corporations so the effort needed to comply
with the law may be minimal for a smaller organization. The global trend also seems to be leaning
toward harsher privacy laws across the world so you may want to begin to update your policies anyway.

3. My organization is a certified NGO or Non-profit that does not sell goods or services. Do I need to
comply? Yes. Any organization that collects data on EU citizens regardless of if/what good or service is
provided must fully comply.

4. My organization does not collect data electronically. Do I need to comply? Since many of the new
regulations are centered around the electronic collection and sharing of personal data, your operations
may not be applicable. However, it would be best to comply the best you can to avoid any questions
down the road.

5. Does GDPR apply to those in the UK or organizations collecting data on UK citizens? Yes. The UK has
stated that it will comply with the new data regulations of the EU and has created their own UK Data
Protection Bill which covers most of the changes made in the GDPR. This bill will provide continuous
legislation on privacy during and after their official separation from the EU in March 2019.

6. What is considered personal data? For purposes of this law, personal data refers to any data that has
the potential to directly or indirectly identify a specific person. This can be information such as names,
ID numbers, and credit card information or location data.

Helpful Links
1. The privacy policy of FundsforNGOs

-Although we are not an NGO, this will give you a good idea of what changes should be made to your
own privacy policy.

2. The privacy policy of Oxcamp Africa

-This organization is a registered charity based in the UK and does mentoring work across Africa. It may
be helpful to see what a smaller NGO has done with their policy in order to comply with the new
regulations.

3. The official EU website for GDPR

-Listed on this site are more technical breakdowns of the legislation and a more specific listing of
changes that the new law dictates.

4. The commission for UK data protection

4
www.fundsforngos.org
-This is the official site for the UK Data Protection Bill in case you are wondering what the UK has written
up for their new privacy law. Although very similar to the GDPR, this resource outlines some slight
differences between the two.

All Right Reserved © fundsforNGOs LLC

No part of this publication may be reproduced or transmitted in any form by any means, electronic,
mechanical, photocopying or otherwise, without the prior written permission of fundsforNGOs LLC.

June 20, 2018

5
www.fundsforngos.org