GDPR Challenges for Non-Profits

As a genealogist and an information junkie, I read quite a few genealogy blogs, belong to quite a few genealogy Facebook groups, have a lot of genealogy friends on Facebook and follow a lot of genealogists on Twitter. (Remember, I am an information junkie!) Thus, I have encountered quite a few discussions of the European Union's General Data Protection Regulation (GDPR).

Based on what others - especially the Legal Genealogist - have written, I have tried to understand the GDPR and to implement changes to my blogs and my website. As a volunteer for the Nemaha County Historical Society, I have also tried to inform their board about the GDPR and help them implement changes.

One of the challenges was guidelines on what the historical society needed to do. Other than the genealogy related blog posts, there wasn't an organization or government site providing help for non-profits. When guidance was sought from statewide organizations, the responses received were not as informative as the genealogy blog posts. One response was also somewhat misleading in that it implied that 'it was unrealistic' to expect the society to be in compliant by today. (The regulation was passed 2 years ago.)

Another challenge involves the society's email. The society is located in Seneca, Kansas. Seneca is blessed to have several Internet providers -- including local providers. Almost all of those providers include an email address hosted by the provider. Many users, including the historical society,  utilize that email address. It is doubtful that these local providers have the resources to become compliant with GDPR.

The third challenge is ignorance on the part of U.S. based companies. One vendor that the historical society works with indicated that they did not fall under the GDPR requirements since they did not have 250 employees. If this is true, then why are so many genealogists (and other bloggers) working so hard to learn about GDPR and to implement changes in their blogs, newsletters and websites? The answer to the question is that YES, the GDPR applies to anyone who has dealings with citizens of the European Union. The following articles by Sophos and Forbes magazine speak to this.

• GDPR: what does the new EU data protection law mean for small businesses? 
• Yes, The GDPR Will Affect Your U.S.-Based Business

Not only could the Nemaha County Historical Society be impacted by the GDPR but also area businesses. Even though we are a small Kansas town or county, there are businesses in the county with global markets. Below are examples of how local entities might fall under the GDPR requirements:

• Have a website or blog that tracks how many people visit the site or blog (the tracking involves the use of cookies, thus a 'cookie notice' should be on the site/blog)
• Send out an electronic newsletter where a recipient of that newsletter is a citizen of the European Union
• Have a name and email address for someone from a European Union country in a contact list
• Maintain any personal data (name, address, email address, etc.) in a database for anyone from a European Union country -- This could directly impact schools that have foreign exchange students from a European Union country!

Whether this European regulation applies to U.S. based businesses and organizations will ultimately be decided in court. Until then figuring out and implementing what is required by the GDPR is less costly than a potential fine.