GDPR applies to a wide variety of organizations, including nonprofits, that operate within the EU or that process the personal data of EU residents. That means that even US nonprofits that just collect data from EU residents are subject to its requirements and exposed to its penalties.
The GDPR establishes standards of practice for data protection, transparency, record keeping, and more. It also includes a 72-hour data breach notification requirement.
The EU is taking GDPR compliance very seriously; failure to comply with GDPR’s many requirements could result in onerous fines of up to the HIGHER of 4% of an organization’s total revenue or 20,000,000 euros.
Even if GDPR does not apply to your organization now, consider learning more about its requirements because many non-EU countries are looking to Europe as they develop their own data privacy regulations.
Here are some resources to get started: