The Mordfin Blog - Trusted Guidance, Pertinent Finance Topics, & Accounting News...

Submit A File
Mordfin on LinkedIn Mordfin on Google+ Mordfin on Facebook Mordfin on Twitter

MORDFIN Blog

How the EU’s data protection regulations might affect U.S. nonprofits

November 14, 2019 Stuart Mordfin, CPA, CGMA GDPR, EU, General Data Protection Regulation

How the EU’s data protection regulations might affect U.S. nonprofitsYour not-for-profit may have paid little attention to the European Union’s (EU’s) General Data Protection Regulation (GDPR), which took effect May 25, 2018. The GDPR revises standards for privacy rights, information security and compliance in the EU. Yet it might also apply to U.S.-based organizations, such as your not-for-profit.

Big steps beyond

GDPR requirements are comprehensive and go far beyond existing U.S. privacy standards. They address:

  • Data security and data governance,
  • Consent to processing,
  • Mandatory breach notification,
  • Access to personal data and data erasure (the right to be “forgotten”),
  • Data portability, and
  • Cross-border data transfers.

Organizations must notify the appropriate EU authority within 72 hours after becoming aware of a data breach. By contrast, U.S. states’ breach notification laws require notification “without unreasonable delay,” with the shortest timing at 30 days, while the Health Information Portability and Accountability Act (HIPAA) allows 60 days.

The regulations define “personal data” broadly to include such identifiers as name, address, Social Security or tax identification number, and email address. Location data and online identifiers such as cookies or IP addresses are also considered personal data.

Notably, GDPR rules apply to entities outside the EU that process or hold the personal data of “data subjects” who are physically in the EU. It doesn’t matter where the processing takes place or whether the subjects are EU residents.

Rights of individuals

To comply with the GDPR, your nonprofit must obtain consent from individuals to collect their personal data. This means the person takes affirmative action, such as clicking on an “I agree” statement, and the personal data you already possess isn’t “grandfathered in.” You must obtain consent on that data or purge it completely from your systems (including employees’ spreadsheets and Outlook contact lists).

You also must disclose to individuals the data you collect on them upon request, so you’ll need to keep close track of such information. And if individuals ask to be forgotten, you must delete all of their data or anonymize it.

Proceed with caution

A serious violation of the GDPR can bring a penalty as high as 20 million euros (about $23 million) or 4% of the violator’s annual revenue. Questions remain about enforcement in the United States, but that’s no excuse not to abide by the rules and develop a compliance plan now. Contact us if you have questions.

© 2019

Stuart Mordfin, CPA, CGMA

Written by Stuart Mordfin, CPA, CGMA

Stuart M. Mordfin has over 30 years of experience as a certified public accountant. He has worked with clients in such diverse industries as manufacturing, publishing, real estate development and operations, jewelry and other luxury products, retail, restaurants, a variety of professional service companies. In addition he has on numerous occasions worked as a court appointed accountant on receiverships, guardianships and bankruptcies. Stuart has developed and expanded his CPA practice through innovation, well-informed decision-making, and creative, proactive thinking. Stuart M. Mordfin joined the firm in 1987, and has been a partner since 1999. He became managing partner in 2004. Since his entrée into the firm, Stuart has lead the way for its expansion into financial planning services through the formation of Mordfin Financial & Business Advisors LLC. Stuart works with many family-owned businesses. Experiencing firsthand what it means to be an integral part of the family business, Stuart is able to offer a unique and valuable perspective to his clients. He is well qualified to assist family-owned businesses move from one generation to the next.

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic