How will the new European Union data protection law affect U.S. nonprofit organizations?

Nonprofit organizations based in the U.S. can often handle large amounts of data which originates in the EU—for example, they may have employees in Europe or a large member database that includes Europeans.

Nonprofits may receive such data either directly from EU citizens or indirectly including from affiliates or member organizations, acting as a “data controller” with respect to such data (having control over how data is used) or as a “data processor” (acting on the instruction of the party sharing the data).

Unfortunately, being a nonprofit does not exempt an organization from compliance, which is a common misconception.

The EU General Data Protection Regulation

On 25 May 2018, the EU General Data Protection Regulation 2016/679 (GDPR) will come into force and will apply to any organization, anywhere in the world, which processes the personal data of EU citizens.

As a result, nonprofitorganizations based in the United States that process EU personal data will be required to comply with the GDPR, even though they are based in the United States (or elsewhere outside Europe).