Search
Close this search box.
GDPR

GDPR is coming. Will your organization be ready?

The General Data Protection Regulation (GDPR) issued by the European Union (EU) becomes effective May 25, 2018.  Although some organizations have already adopted privacy processes and procedures in response to the regulations, many are still unclear as to the impact upon their business, and the steps necessary to comply.

Does GDPR apply to your organization?  For virtually every organization, the answer is “yes.”  In basic terms, any US entity that has a web presence and markets to or gathers information on EU residents is subject to GDPR.  More specifically, Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your organization is subject to the requirements of the law.  It’s important to note that a financial transaction doesn’t have to take place to be subject to the regulation. The bottom line is that the GDPR applies to any organization that collects and holds “personal data” of individuals residing in the EU, regardless of the organization’s location.

Failure to comply could result in significant fines and penalties. On top of that, complying with GDPR will require organizations handling EU residents’ data to undertake significant operational reform.  Below I summarize the main mandates imposed by GDPR that organizations should focus on. I will be writing a further series of posts to provide additional guidance on insuring full compliance.

It’s My Data – GDPR is a game changer

From a US perspective, GDPR imposes a new paradigm.  Perhaps most significantly, it redefines what has traditionally been considered to be protected information by broadening the concept of personal data to anything that can be used to identify a person, including an email address, twitter handle or even an IP address associated with a mobile device. It’s crucial to recognize that personal data that is collected is never owned by the organization, for it is the individual who perpetually retains control over personal data.  This key public policy maintains that data belongs to the person it identifies, and that the person has a right to control how it is processed. Therefore, while organizations may use, within well-defined limits, the data they collect, they will need to obtain explicit consent from those individuals who “own” it.

Explicit Consent is the New “Opt In” – What is It?

While organizations may continue to rely on “consent” as a lawful basis to collect, use and transfer personal data under the GDPR, what constitutes acceptable “consent” is now at a higher bar.  No longer will “implicit” or “opt-out” consent be acceptable.  Rather, GDPR requires that the individual signals his or her agreement by “a statement or a clear affirmative action.”   It’s also important to note that GDPR introduces restrictions on the ability of children to consent to data processing without parental authorization.

No “Passing the Buck” – Responsibility for Third-Party Vendors

GDPR squarely puts the onus on the organizations which collect data to ensure that their third-party vendors (data-processors) are acting appropriately, and that any “processing activities” are performed in compliance with the regulations. Organizations must “implement appropriate technical and organizational measures” not only not only to ensure compliance, but to be able to demonstrate the measures that they have in place.  Under certain circumstances, organizations will have specific responsibility for carrying out data-protection “impact assessments.” Most importantly, the organization will be liable for the actions of its third-party vendors and any failure on their part to comply with GDPR’s personal data processing principles.

“Use It – Then Lose It” – Limits on Data Retention

Many organizations keep personal data information for much longer than is reasonably necessary.  GDPR imposes restrictions on this practice, effectively mandating that organizations create, implement, and then follow a data-retention policy.

“It Don’t Come Easy” – New Obligations for Cross-Border Data Transfers

The GDPR permits personal data transfers to a third country or international organization subject to compliance with a number of conditions, including conditions for onward transfer. For those countries that are not considered to provide an “adequate” level of data protection, transfers are only permitted under certain circumstances, such as by use of standard contractual clauses or binding corporate rules.   Note that the United States is not considered to have an “adequate” level of protection, so organizations wishing to transfer data to the US must take additional actions.

A “Target” on Targeting? – Restrictions on Profiling

Today, nonprofits often engage in donor-data analysis for a variety of purposes, including drawing conclusions about a donor’s wealth and capacity to give to develop target marketing campaigns. In its sweeping efforts to define and enhance the subject’s rights to control personal data, the GDPR contains many restrictions on such automated data processing – and decisions based upon such processing – to the extent they can be characterized as profiling.

A Higher Bar – New Data Security and Breach Notification Obligations

GDPR imposes strict obligations on organizations with regard to data security as well as expected security standards. The GDPR also adopts specific breach notification guidelines for the first time.

It’s All About Them – Additional Rights to Control Personal Data

As part of its effort to expand individual control over the use of personal data, the GDPR introduces two new rights. The first is the literal right to be “forgotten.”  This empowers individuals to request that your organization delete their personal data.  It also mandates that if requested, you provide an individual’s personal data to them. The GDPR also augments the existing rights of individuals to receive notice about your processing activities, gain access to the information that is being processed, and to request that any inaccuracies be remedied.

Keep “em” Separated – “Pseudonymization” of Personal Data

The concept of “personally identifying” is one of the essential elements driving and informing GDPR.  Any “personal data,” defined as “information relating to an identified or identifiable natural person ‘data subject’,” falls within the domain of GDPR.  The regulation introduces the concept of “pseudonymization” into European data-protection law. Pseudonymization is the separation of data from direct identifiers so that linkage to a person is not possible without additional information that is not digitally connected. The intent is to minimize the risks associated with sharing and processing of data.

Closing Thoughts

I can certainly appreciate that the regulatory obligations summarized above may seem overwhelming – they are – and that organizations may be tempted to take a “wait and see approach.”  It is essential, however, to keep in mind that by any measure the fines for violations of GDPR are severe (regulators are authorized to levy fines in amounts exceeding the greater of 20 million euros or four percent of annual global revenue). So in this case, an ounce of prevention will truly be worth the pound of cure.

Share this Post

Related Posts

A number of states require disclosure notice statements on all written materials used when soliciting contributions. Most often the disclosure notice is required to be included on every printed …
perlman & perlman philanthropic sector law firm blue logo

click to exit page

silk lanterns

who we work with

Our clients are diverse nonprofit organizations with a broad range of missions, as well as for-profit companies in evolving areas such as social enterprise, corporate philanthropy, joint ventures, technology-driven fundraising, and impact investing.

A.B. Data
AB InBev Foundation
Absolut Company
American Committee for the Weizmann Institute of Science
American Diabetes Association
American Friends of the Hebrew University
American Parkinson Disease Association
Americans for Ben Gurion University
Association of Fundraising Professionals
Avalon Consulting
Baton Rouge Area Foundation
Black Lives Matter Global Network Foundation
Bleeding Blue for Good Fund
Bradley Cooper’s One Family Foundation
BrightFocus Foundation
Brooks Brothers
Chadwick Boseman Foundation for the Arts
Changing Our World
Charity Defense Council
Christian Appalachian Project
Doctors of the World/ Medecins du Monde
Doctors Without Borders/ Medecins San Frontieres
Drug Policy Alliance
Duke University
Emory University
Estee Lauder Companies, Inc.
Feed The Children
Food For The Poor
Gerald R. Ford Presidential Foundation
Grameen Foundation USA
Hope for New York
International Campaign for Tibet
International Crisis Group
International Justice Mission
J. Crew Group
Johns Hopkins University
Lautman Maska Neill & Company
Lawyers Committee for Civil Rights Under Law

LSU Foundation
Marts & Lundy
Meyer Partners, LLC
Milken Institute
NAACP Foundation
National Alliance on Mental Illness (NAMI)
National Marrow Donor Program
National Park Foundation
Natural Resources Defense Council
North Carolina State University
North Shore Animal League
Operation Smile
PBS Foundation
Pernod Ricard USA
PetSmart Charities
PopSockets
Population Action International
Project ORBIS International
Public Interest Communication
Rails to Trails
Redeemer Presbyterian Church
Rockefeller Philanthropy Advisors
Save the Children Federation
Sesame Workshop
Simon Wiesenthal
SOS Children’s Villages – USA
Subaru of America
The Little Market
Touro University
United States Equestrian Team Foundation
United Way Worldwide
University of Connecticut
University of Virginia
Vote.org
Whitney Museum of American Art
World ORT
World Wildlife Fund
YWCA USA

A.B. Data
Absolut Company
American Committee for the Weizmann Institute of Science
American Diabetes Association
American Friends of the Hebrew University
American Parkinson Disease Association
Americans for Ben Gurion University
Association of Fundraising Professionals
Baton Rouge Area Foundation
BrightFocus Foundation
Burger King McLamore Foundation
Cancer Care
Carnegie East House and James Lenox House Association
Center for Car Donations
Changing Our World
Charity Defense Council
Christian Appalachian Project
Coca-Cola Scholars Foundation
Convoy of Hope
Cornell University
Doctors Without Borders/ Medecins San Frontieres
Drug Policy Alliance
Duke University
Emory University
Feed The Children
Gerald R. Ford Presidential Foundation
Grameen Foundation USA
Helen Keller Services
Hope for New York
Human Rights Watch
Humane Society of US
Indiegogo
International Campaign for Tibet
International Crisis Group
International Justice Mission
Japanese American National Museum
Johns Hopkins University
Lane Bryant Charities
Lautman Maska Neill & Company
Lawyers Committee for Civil Rights Under Law
LSU Foundation
Mattel
Meyer Partners, LLC
Milken Institute
National Breast Cancer Coalition
National Marrow Donor Program
Natural Resources Defense Council
North Carolina State University
North Shore Animal League
Obama Foundation
Operation Smile
PBS Foundation
Pernod Ricard USA
PetSmart Charities
Population Action International
Project ORBIS International
Public Interest Communication
Rails to Trails
Redeemer Presbyterian Church
Rock and Roll Hall of Fame and Museum
Rockefeller Philanthropy Advisors
Sesame Workshop
Simon Wiesenthal
SOS Children’s Villages – USA
Steinhardt Foundation
Subaru of America
United States Equestrian Team Foundation
University of Montana Foundation
University of Nevada, Las Vegas Foundation
Whitney Museum of American Art
World ORT
World Wildlife Fund
YMCA USA
YWCA of New York City
YWCA USA

perlman & perlman philanthropic sector law firm blue logo

click to exit page

news & events

Our attorneys’ recent contributions to the media and nonprofit sector publications.

news & events

Check out our attorneys’ recent contributions to the media and industry publications.

Secure Your Data – Seriously, AFP New York Chapter News
As Jon Dartley, a data privacy and security attorney at Perlman and Perlman says, “It is vital to have the appropriate legal terms in the contract to protect your interests.”  Find out what your liability limit is.  Have it in writing who bears the responsibility and cost of a data breach.  And, have the vendor agree on a specific timeframe within which they need to advise you of a data breach.

Warning: Don’t Cut Legal Corners When Mixing Social And Business Impact,  Forbes
Particularly striking is that (Karen) Wu believes this is the “first multi-state regulatory activity involving cause marketing in almost two decades.”

Is stealing, then giving back, OK?
Cliff Perlman lends his advice on theft within a nonprofit.

Buyer Beware: Negotiating Terms in Technology Agreements
Jon Dartley provides tips on negotiating contracts with technology vendors.

Four Ways Charitable Giving Could Change with a Tax Overhaul
Cliff Perlman remarks on the possible threat of a change to charitable deduction.

How To Deal With Residual Data, Nonprofit Times
Jon Dartley’s advice on addressing “data exhaust”.

Secure Your Data – Seriously, AFP New York Chapter News
As Jon Dartley, a data privacy and security attorney at Perlman and Perlman says, “It is vital to have the appropriate legal terms in the contract to protect your interests.”  Find out what your liability limit is.  Have it in writing who bears the responsibility and cost of a data breach.  And, have the vendor agree on a specific timeframe within which they need to advise you of a data breach.

Warning: Don’t Cut Legal Corners When Mixing Social And Business Impact,  Forbes
Particularly striking is that (Karen) Wu believes this is the “first multi-state regulatory activity involving cause marketing in almost two decades.”

Is stealing, then giving back, OK?
Cliff Perlman lends his advice on theft within a nonprofit.

Buyer Beware: Negotiating Terms in Technology Agreements
Jon Dartley provides tips on negotiating contracts with technology vendors.

Four Ways Charitable Giving Could Change with a Tax Overhaul
Cliff Perlman remarks on the possible threat of a change to charitable deduction.

How To Deal With Residual Data, Nonprofit Times
Jon Dartley’s advice on addressing “data exhaust”.

perlman & perlman philanthropic sector law firm blue and green logo

click to exit page

perlman & perlman philanthropic sector law firm blue and green logo

click to exit page

silk lanterns

who we work with

Our clients are diverse nonprofit organizations with a broad range of missions, as well as for-profit companies in evolving areas such as social enterprise, corporate philanthropy, joint ventures, technology-driven fundraising, and impact investing.

who we work with

Our clients are diverse nonprofit organizations with a broad range of missions, as well as for-profit companies in evolving areas such as social enterprise, corporate philanthropy, joint ventures, technology-driven fundraising, and impact investing.

A.B. Data
AB InBev Foundation
Absolut Company
American Committee for the Weizmann Institute of Science
American Diabetes Association
American Friends of the Hebrew University
American Parkinson Disease Association
Association of Fundraising Professionals
Avalon Consulting
Baton Rouge Area Foundation
Black Lives Matter Global Network Foundation
Bleeding Blue for Good Fund
Bradley Cooper’s One Family Foundation
BrightFocus Foundation
Brooks Brothers
Chadwick Boseman Foundation for the Arts
Changing Our World
Charity Defense Council
Christian Appalachian Project
Doctors of the World/ Medecins du Monde
Doctors Without Borders/ Medecins San Frontieres
Drug Policy Alliance
Duke University
Emory University
Estee Lauder Companies, Inc.
Feed The Children
Food For The Poor
Gerald R. Ford Presidential Foundation
Grameen Foundation USA
Hope for New York
International Campaign for Tibet
International Crisis Group
International Justice Mission
J. Crew Group
Johns Hopkins University
Lautman Maska Neill & Company
Lawyers Committee for Civil Rights Under Law
LSU Foundation

Marts & Lundy
Meyer Partners, LLC
Milken Institute
NAACP Foundation
National Alliance on Mental Illness (NAMI)
National Marrow Donor Program
National Park Foundation
Natural Resources Defense Council
North Carolina State University
North Shore Animal League
Operation Smile
PBS Foundation
Pernod Ricard USA
PetSmart Charities
PopSockets
Population Action International
Project ORBIS International
Public Interest Communication
Rails to Trails
Redeemer Presbyterian Church
Rockefeller Philanthropy Advisors
Save the Children Federation
Sesame Workshop
Simon Wiesenthal
SOS Children’s Villages – USA
Subaru of America
The Little Market
Touro University
United States Equestrian Team Foundation
United Way Worldwide
University of Connecticut
University of Virginia
Vote.org
Whitney Museum of American Art
World ORT
World Wildlife Fund
YWCA USA

A.B. Data
Absolut Company
American Committee for the Weizmann Institute of Science
American Diabetes Association
American Friends of the Hebrew University
American Parkinson Disease Association
American Rivers
Association of Fundraising Professionals
Baton Rouge Area Foundation
BrightFocus Foundation
Burger King McLamore Foundation
Cancer Care
Carnegie East House and James Lenox House Association
Center for Car Donations
Changing Our World
Charity Defense Council
Christian Appalachian Project
Coca-Cola Scholars Foundation
Convoy of Hope
Cornell University
Doctors Without Borders/ Medecins San Frontieres
Drug Policy Alliance
Duke University
Emory University
Feed The Children
Gerald R. Ford Presidential Foundation
Grameen Foundation USA
Helen Keller Services
Hope for New York
Human Rights Watch
Humane Society of US
Indiegogo
International Campaign for Tibet
International Crisis Group
International Justice Mission
Japanese American National Museum
Johns Hopkins University
Lane Bryant Charities
LSU Foundation
Mattel
Meyer Partners, LLC
Milken Institute
National Breast Cancer Coalition
National Marrow Donor Program
Natural Resources Defense Council
North Carolina State University
North Shore Animal League
Obama Foundation
Operation Smile
PBS Foundation
Pernod Ricard USA
PetSmart Charities
Population Action International
Project ORBIS International
Public Interest Communication
Rails to Trails
Redeemer Presbyterian Church
Rock and Roll Hall of Fame and Museum
Rockefeller Philanthropy Advisors
Sesame Workshop
Simon Wiesenthal
SOS Children’s Villages – USA
Steinhardt Foundation
Subaru of America
United States Equestrian Team Foundation
University of Montana Foundation
University of Nevada, Las Vegas Foundation
Whitney Museum of American Art
World ORT
World Wildlife Fund
YMCA USA
YWCA of New York City
YWCA USA
Lautman Maska Neill & Company
Lawyers Committee for Civil Rights Under Law

perlman & perlman philanthropic sector law firm blue and green logo

click to exit page

Culture & Values

Vision

We view our clients as partners that share our commitment to bring about change in the world. Our goal is to provide them the peace of mind of knowing that they are in compliance with their legal obligations and to further empower them to achieve positive social impact and financial success.

Our Mission

Our mission is to provide the highest quality, integrity-driven legal services to our clients, using a practical, consultative, client-focused approach to identify and respond to problems and challenges.

We strive to maintain a culture characterized by respect, opportunity, diligence, mutual empowerment, entrepreneurship, and fair reward for efforts made on behalf of clients and the firm.

Perlman & Perlman is a Certified B Corporation

Certified B Corporations use the power of business to solve social and environmental problems. B Corps are unlike traditional businesses because they

  • Meet comprehensive and transparent social and environmental performance standards
  • Meet higher legal accountability standards
  • Build business constituency for good business