GDPR and Equivalency Determinations

As many of our readers are aware, the European Union (EU) General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Although GDPR is an EU regulation, its impact is global. This is because GDPR protects the information of EU residents, no matter who is processing that information, or from where.

Processing information means accessing, collecting, storing, using, sharing, recording, altering, or otherwise utilizing personal data of individuals in the EU. Personal data means any information relating to an individual (a "natural person") that directly or indirectly identifies that individual. Personal data includes name, identification, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of an individual.

Under EU law, protection of one's personal data is a fundamental right (PDF). Otherwise stated, an individual deserves to control what his or her personal data is used for and when it is shared. Viewing GDPR in this light should serve as a helpful guidepost. It is also the standard by which NGOsource treats all personal data collected or received, regardless of its country of origin.

What Personal Data Does NGOsource Receive, and Why?

NGOsource collects very little personal data of its grantmaker members and NGOs and only processes such data with their express consent. There are two principal ways in which we receive personal data.

First, when an NGO is selected for equivalency review by an NGOsource grantmaker member, we make contact with that NGO via email. That email is often associated with an individual. Sharing that email, as well as any affiliated data like the person's name, may then only be undertaken with the express consent of that individual. This is why we can only share an individual's name and contact information with other grantmaker members once that individual has affirmatively and unambiguously provided consent for us to do so.

Second, organizations often provide names and other identifying information about individuals as part of their completion of the online questionnaire. Notably, we do not request the names or contact information of any individuals other than those listed as official contacts in the questionnaire and those who provide their consent to undergo an equivalency determination (ED).

However, such information is often stated within the organization's governing documents, annual reports, audited financials, or other information shared with us to assist us in completing the ED. Most commonly, an organization's memorandum of association, statutes, deed of trust, or other governing document will include the names and signatures of the original subscribers, members, or trustees. Some documents additionally include information like identification numbers, photographs, and even fingerprints.

What Measures Does NGOsource Take to Protect This Data?

The NGOsource team fully redacts any personal data in the information that we receive before we save or share it, unless such data is essential to the ED. We do request in our online questionnaire that NGOs that undergo ED make these redactions themselves before they submit their documents. Our website provides redaction instructions for them.

In practice, however, many organizations are either unaware of this request or are unable to redact the data themselves. Any redactions undertaken before we receive documents for review do help reduce our total review time. However, regardless of an organization's ability to redact before submission, NGOsource takes pride in applying a consistent review and redaction of all documents that are shared with us.

What About the CCPA?

The California Consumer Privacy Act (CCPA) went into effect in January 2020. As the most expansive legislation protecting personal data in the U.S. to date, the CCPA has received widespread attention. The CCPA currently only governs "businesses," and not nonprofit organizations.

While the CCPA is the first of its kind, the expectation among privacy practitioners and policymakers is that other states are soon to follow, just as other countries (PDF) have begun to adopt data privacy legislation similar to GDPR.

Other Resources

NGOsource Privacy Policy

General Data Protection Regulation (GDPR), complete legislation

Webinar Recording: Data Privacy in the Post-Internet Age, NGOsource

What You Should Know About the New California Consumer Privacy Act, TechSoup

This article is for general informational purposes only and does not represent legal advice as to any particular set of facts. Please seek legal counsel as you deem necessary.