GDPR Compliance Guide

  • Updated on Mar 2, 2023
  • Published on Mar 31, 2022
  • 7 minute(s) read
Prev Next

Who is this article for?

Any organization in the EU and UK
Any organization that deals with people in the EU or UK

This guide is meant to be an abdridged version of what an organization needs to know to be GDPR compliant. Though we try to vet as much of our resources as possible, consult your attorney before implenting this advice.

What is Personal Data?

The term β€œPersonal Data” applies to the personal information that directly or indirectly identifies any living person. It includes name(s) and any contact information. If you can use the data to identify a living person in any way, it is considered Personal Data.

GDPR Compliant Checklist:

  • You will need at least one lawful reason/basis to collect and process personal data.
    • Legitimate interest will be the most common nonprofit lawful basis.
    • The lawful basis is to be stated on your privacy notice.
    • It is valuable to think about the lawful basis as it applies to the data’s processing (use and keeping), not the data itself. When you run out of any of the six lawful basis to process it, you can't use or keep it anymore.
  • You will need a GDPR Privacy Policy
  • You will need a GDPR Privacy Notice
    • A best practice is to have the privacy notice on your website and a link to the notice in your email signature.
    • You may need to register and pay a fee, especially in the UK; most nonprofit organizations do not. If you do, you will be notified by the UK government.

Areas of Jurisdiction

  • If you are operating solely in the UK, you will need to comply with the UK GDPR and DPA.
  • If you are operating solely in the EU, you will need to comply with the EU GDPR.
  • If you are operating both in the UK and EU, you will need to comply with both the UK and EU GDPR, in addition to the UK DPA.

What Organizations Does GDPR Apply To?

Per the European Commission, GDPR applies to:

  • a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
  • a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.

Article 3 of the GDPR, which defines the law’s territorial scope, states that it not only applies to companies in the EU/EEA but also to companies outside of the EU/EEA that serve (or track the data of) EU/EEA residents.

Registration and Fees

EU

The EU does not require registration. But under the EU Data Protection Directive (the law that predated the GDPR), many member states required companies to register their data processing activities with the member state's supervisory authority.

As a general rule, being compliant in one EU country will mean you are compliant with all EU countries.

UK

The EU has stated that the UK’s GDPR requirements are compliant with EU GDPR requirements. The UK does not require nonprofits to register. Per ICO UK GDPR Registration Self Assessment, nonprofits do not need to register and pay a fee if:

  • only process information necessary to establish or maintain membership or support
  • only process information necessary to provide or administer activities for people who are members of the organization or have regular contact with it;
  • you only hold information about individuals whose data you need to process for this exempt purpose
  • the personal data you process is restricted to personal information that is necessary for this exempt purpose

US Organizations

US organizations are not required to register but are required to be GDPR compliant if they work with organizations in the EU. Article 3 of the GDPR, which defines the law’s territorial scope, states that it not only applies to companies in the EU/EEA but also to companies outside of the EU/EEA that serve (or track the data of) EU/EEA residents.

Appendix

Lawful Basis to Collect Data

To collect personal data, the organization must have at least one β€œLawful Basis” to process the data. The UK ICO’s Interactive Tool can help to determine whether an organization has a lawful basis. But here are the generally accepted criteria:

  • Consent
    • They explicitly said you could use it.
  • A contractual obligation.
    • For example, to fulfill a contract.
  • Legal obligation.
    • A law, judgment, or regulation requires to you keep it.
  • A vital interest.
    • Keeping the data necessary in order to protect the vital interests of the data subject.
  • To perform a public task.
    • You are doing something for a public agency or government.
  • Legitimate interest (most common).
    • Legitimate interest is basically, do you have a legitimate reason to process this data?

Legitimate Interest Test

This can be broken down into a three-part test (per ICO):

  • Purpose test: are you pursuing a legitimate interest?
    • Is the interest you are performing part of your regular operations.
  • Necessity test: is the processing necessary for that purpose?
    • Could you do your operations without the data?
  • Balancing test: do the individual’s interests override the legitimate interest?
    • What is the nature of your relationship with the individual?
    • Is any of the data particularly sensitive or private?
    • Would people expect you to use their data in this way?
    • Are you happy to explain it to them?
    • Are some people likely to object or find it intrusive?
    • What is the possible impact on the individual?
    • How big an impact might it have on them?
    • Are you processing children’s data?
    • Are any of the individuals vulnerable in any other way?
    • Can you adopt any safeguards to minimize the impact?
    • Can you offer an opt-out?

Data Collection

Per ICO:
You should give your privacy notice to people when you first collect their personal details and make sure it’s available to view if they want to see it at a later date. If you don’t get their details directly, let them know where they can find your privacy notice as soon as possible, and within one month.

You need to review your privacy notice regularly to make sure it’s up-to-date and proactively bring any changes to people's attention.

If You Already Have Data

You may already have personal data you gathered before the organization was established. Once your organization is formed or you have developed your Data Protection Policy, you have one month to notify anyone whose data you have collected and give them an opportunity to opt-out.

Receiving Data From Another Organization

The other organization's privacy policy should state what type of organizations they give data to and why, and also should list specific organizations if there is a regular exchange. See the Privacy Notice template for an example.

Your policy should state the type of organizations you receive data from and why, and also should list specific organizations if there is a regular exchange. Note that this is reciprocal; if you are giving data to an organization you should be following the same procedures.

Email Compliance and Email Subscriptions

For GDPR Email Compliance see our other portal article here.

Email Subscriptions
GDPR defines the conditions for consent in Article 7

  • Consent is given voluntarily

    • When assessing whether consent is given voluntarily, it must be taken into account whether the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
    • For example, if a user wants to download an ebook/whitepaper, or participate in an event, it must be clear that by doing so, they will be automatically subscribed to your newsletter.
    • If personal data will be collected in exchange for an item/service you’ll be providing this should be made clear during the opt-in stage.

  • Consenting must be clearly recognizable

    • Positive opt-in - Dedicate a separate space in your form where users can voluntarily and actively click on a checkbox
    • Pre-ticked sign-up checkboxes are not allowed
    • Double opt-in - Once a user submits their information, they receive an email that contains a link that they can click to further confirm their subscription to your newsletter.
    • It is best practice is to provide a link to your privacy policy not only in the opt-in form but in the emails you’ll be sending as well.

  • You must ensure that opting out of your email subscription is easy

    • Add a visible unsubscribe link to all of your emails
    • Add a link that lets users change their email preferences

For verbiage examples, visuals, and additional details on email compliance, see our article - Email Compliance.

Click here to contact us, give feedback on this article, report errors, or address concerns regarding the portal resources.

Related articles