You may or may not have heard of GDPR, but be certain that most commercial Enterprises, businesses, corporations have heard of it and are taking aggressive actions to meet this regulatory monster.
What is GDPR? It is a new European Union regulation – General Data Protection Regulation – going into effect late May 2018 which seeks to strengthen protections of personal information or PII held by organizations. The basic intent is probably a good one – they want to make sure that *your* personal information — name, address, phone number, email address, financial data, health data, and other critical pieces of information specific to you – are placed squarely in your control.
First, they want organizations to explicitly ask for European citizens to opt-in your information for their marketing and other purposes. Allowing opt-out is not enough — people need to opt-in to allowing your use of their PII.
Second, they require the organizations to:
- Keep an audit trail of how they acquired your information
- Document how it is being secured from being lost or stolen or hacked
- Maintain written policies about if and when the info is aged out of use, deleted or transferred to other organizations (mergers/acquisitions/selling emails ).
Most importantly, it requires that European citizens and organizations *always* fully control their own PII, including the right at any time to remove their own personal information from any organizations storage.
The issues that arise from this regulation stem from the looseness of the definitions in the regulation, and the penalties for not complying.
Given this is a European Union regulation, the scope of this regulation is supposed to protect the PII rights of European citizens. But it’s not clear if that means:
- European citizens living in European countries (we would assume)
- European citizens living in other countries, such as the United States
- Even European residents, such as Americans, living in European countries (not likely).
It’s also a bit unclear what constitutes “proper protection” for the data, “adequate process”, etc.
It’s pretty easy to imagine that an organization like, say, Facebook would have an entire department with lawyers in tow, enacting massive policies and processes to maintain compliance with this regulation – Binders upon binders of their processes and policies, global training to all their employees about the regulation and its implications, technology safeguards being put in place, and all the rest.
But what about a two-man software company, collecting potential customer contact information to market to them about their new app? Is having a few bullet points in an email adequate policy definition for this two-man company? How much time and money should they spend to protect and govern the data that they might get from some potential European customers? It’s also not totally clear whether this applies to churches and nonprofits. For the information that churches collect on a Sunday morning using their contact cards or similar, could any of that information be from a European citizen, and therefore regulated under GDPR?
The really dramatic part of this regulation comes in the associated penalties. GDPR assesses fines of 20 million Euros or 4% of total revenues, whichever is larger. So if we apply the statistic that says that most churches in the United States are 75 people for less, and project out the annual donation income, how many years (decades?) would it take to pay a 20 million euro fine? That could be pretty scary, if it happened.
Some will say that this was never the intent of the European Union, they really wanted to go after Google’s and Facebook’s massive data aggregation, and other large companies that misuse, sell, exchange your PII, and they would never go after small companies, churches, or nonprofits, and they are probably correct. But there’s nothing in the regulation that prevents this, and we have to consider the law of unintended consequences and the potential risk. Never say never, as they say.
Some would also say that churches are too small to be noticed in what they’re doing, and would never get on the radar of the EU in this way. But it’s not necessarily just the EU body looking for violations – it might be individuals that report a church or other organization. So being slightly paranoid for a moment, what would happen if a vehemently anti-church organization were to use this law to try to hurt or shut down churches?
I think we will need to wait and see what happens, as the outcomes are hard to predict. But my general advice to churches for now would be a preventive tactic: If you receive or have contact information that you know is from an EU citizen living anywhere, likely the best action for most churches would be to remove it from your database — the value of a small number of contacts is not worth any of the potential risk.
You can read more on GDPR here.