Michael Best Partner Elizabeth Rogers’ publication, “Insight: The GDPR’s Reach on U.S. Non-Profits and Associations” was featured in Bloomberg Law on July 25, 2018.
“May 25 marked the beginning of enforcement for the European Union’s General Data Protection Regulation (‘‘GDPR’’), a sweeping revamp of prior EU privacy and cybersecurity laws. The regulation is aimed at enhancing the data privacy rights of individuals within the EU as it relates to the collection and processing of their personal data. The fortuitous timing of the enforcement date in the wake of a steady stream of news concerning privacy and cybersecurity revelations and data breaches seemed to serve as a prophetic response to these growing issues. Although the GDPR is an EU law, it has ripple effects around the world, including in the United States. Whereas U.S. privacy laws are mostly sectoral, the GDPR’s industry-agnostic approach results in broad application, including to associations and non-profit organizations in the United States. Because of the large potential fines of 4% of worldwide revenue or up to a 20 million, these entities need to be aware of whether the GDPR applies to them and, if so, what that means.
What kind of data does the GDPR regulate? The GDPR can apply to any type of organization or association, including non-profits. Its broad application depends on the activities of an organization rather than the industry or sector in which the organization operates. The regulation applies generally to ‘‘the processing of personal data’’ with a few exceptions. It is, therefore, critical to determine whether your non-profit or trade association processes personal data or sensitive personal data. If that is the case, then several obligations apply, including the need to establish a legal basis for processing the personal data under Article 6 and, if sensitive personal data is involved, the need to satisfy additional special conditions for processing under Article 9.”
To read the entire Bloomberg Law article, click here.