2019 Nonprofit Technology Conference NTC

GDPR & US Foundations

  • 1.  GDPR & US Foundations

    Posted Mar 30, 2019 03:06
    The General Data Protection Regulation (GDPR) got some coverage in NTC19 Sessions. In these sessions, I noticed that there are many questions about the exact requirements and whether or not the GDPR is applicable for US organizations.

    GDPR applicability is based on two scope definitions: 1) Material scope (art. 2) and 2) Territorial scope (art. 3).

    The material scope (1) states that GDPR applies to the processing of personal data by automated means and to processing other than by automated means which form part of a filing system or intended to form part of a filing system.  A widespread misunderstanding is that the size of the organization is relevant. That's not the case. There are some clauses only applicable in case of large-scale processing, but the GDPR in general doesn't depend on the size of the organization or scale of processing.

    The territorial scope (2) has two principles:
    a) Personal data of data subjects who are in the EU, by a controller or processor not established in the Union.
    b) Personal data processed within the EU.

    Summarizing: any personal data of EU citizens (living in the EU), processed by US- or other country based organizations, regardless where the data is actually processed, is subject to the GDPR.

    Two important notes:
    The definition of processing is very broad. Processing includes transfer, read and even storing the data. That's why IaaS providers, who even don't know what data is processed on their systems, are subject to the GDPR as well (Microsoft / Google, etc.)
    Second, the definition of personal data is very broad too. Any information relating to an identified or identifiable natural person.

    As a certified GDPR practitioner, I've been giving many trainings and seminars to Foundations and NGO"s, and helped them understand, interpret and implement GDPR. During the NTC19, I've been in discussion with several NGO's about their GDPR challenges. If there are more questions or need for advice or services, I'm more then willing to help out. Feel free to connect! Since I'm travelling to US & Canada on a regular basis, there are opportunities to meet up.

    ------------------------------
    Leen Roeleveld
    lroeleveld@gdpr-expert.org
    The Netherlands
    ------------------------------
    Nonprofit Tech Clubs


  • 2.  RE: GDPR & US Foundations

    Posted Mar 31, 2019 11:36
    GDPR is very broad in its applicability, but very narrow in its ENFORCEABILITY.

    For most US-based orgs, planning out a response to GDPR should start with a risk assessment, rather than a compliance assessment. Leaders should determine what exposure they have before committing substantial organizational resources to attempt to comply fully with a body of regulations that still hadn't clarified and solidified itself.

    ------------------------------
    Isaac Shalev
    http://www.sage70.com
    Stamford CT
    @Sage70
    isaac@sage70.com
    ------------------------------

    Nonprofit Tech Clubs


  • 3.  RE: GDPR & US Foundations

    Posted Apr 01, 2019 03:35
    It's wise to start with a Risk Assessment, even more because GDPR encourages a risk-based approach before taking measures.

    But why act only out of 'fear' and 'fines'? GDPR is a regulation that is aiming for transparency and respect for consumer / constituents data. Shouldn't that be a principle for NGO's, to handle their constituents data with transparency and respect? In Europe, more and more organizations are merely perceiving GDPR as an opportunity to differentiate their organizations. In the age of Facebook scandals and fake news, the public is longing for what is 'real' and 'true'. And a sector that, more than any other sector, lives by the grace of credibility and reputation, has more than a good reason to be transparant and to respect the rights of the constituents.

    On top of that, the privacy regulations globally tends to harmonize clearly in the direction of GDPR. Also the California Consumer Privacy Act has many GDPR elements. I think it's only a matter of time. And the choice to be passive and run the old way, or face the reality and see it as an opportunity.

    ------------------------------
    Leen Roeleveld
    The Netherlands
    ------------------------------

    Nonprofit Tech Clubs


  • 4.  RE: GDPR & US Foundations

    Posted Apr 01, 2019 09:02
    Leen, that sounds lovely. My advice to most clients is to take modest measures and wait for GDRP's beautiful sentiments and laudable values to translate into clear regulations.

    ------------------------------
    Isaac Shalev
    http://www.sage70.com
    Stamford CT
    @Sage70
    isaac@sage70.com
    ------------------------------

    Nonprofit Tech Clubs