Data Stewardship and the General Data Protection Regulation (GDPR)

Let’s pretend it’s a rainy Sunday and all you want is a good page turner. You’ve heard the hype and seen the headlines so you pick up the complete works of the European Union (EU) and open to Chapter 1: The General Data Protection Regulation.

It begins with what can only be described as the most compelling opening line ever:


(1) The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her.

And – we’re done.

What now?

We are going to break down the GDPR for you with an emphasis on highlighting the most important aspects that might impact your organization. At Fíonta, we understand the nonprofit sector and our compliance team actually considers this kind of thing a fun read. Buckle up!

Break it down

First, let’s go through the basics.

What is it?

The GDPR is a new European Union (EU) regulation designed to streamline the rules around privacy and data security. The regulation has two primary goals:

  1. Give citizens more control over their information including the Right to be Forgotten; and
  2. Simplify the regulations targeting businesses (including nonprofits).

Does it apply to my organization?

We know what you’re thinking – It’s European, does it even apply to me. If your nonprofit can answer yes to any of the following, then GDPR compliance is in your future.

  • Do you maintain any personal information of EU citizens?
  • Do you fundraise or, in any way, market to EU citizen?
  • Does your website or donation page have EU language options and/or accept EU currencies and/or track / collect information about visitors?
  • Does your organization have programs and/or a volunteer base in any of the EU countries?

Need a quick refresher as to the countries that compose the EU? Here’s a helpful list:

When is this happening?

The deadline for compliance is May 25, 2018.

What do they mean by personal information?

Personally Identifying Information (PII) is going to apply to all the basics captured by a nonprofit through the normal activities of fundraising, grants, mass communications or volunteer management. This includes: First Name, Last Name, Address, Phone, Email and Photos.

The GDPR expands the threshold to include some of the non-standards like IP addresses, genetic and biometric data.

Platform compliance

Hold the phone – I use a platform like Salesforce for my data, my donation page is provided by Classy, and my website is in WordPress – aren’t those systems compliant and doesn’t that make me compliant?

The answer is no.

Platforms like Salesforce and Classy do have to maintain compliance and you are in better shape for using them, but this regulation is about how your organization handles its data. The platforms themselves may be compliant from a technical and process perspective, but it is not up to Salesforce to make your organization compliant. This is about YOUR data and YOUR processes.

OMG – Help me!

We will!

Compliance with the GDPR really means taking data stewardship seriously. Whether you need comply or not, Fíonta recommends taking advantage of services such as those provided by Fíonta to improve your data stewardship.

Data stewardship is the management and oversight of an organization’s data assets to help provide business users with high-quality data that is easily accessible in a consistent manner.

Many nonprofits have issues with data stewardship and recognizing both the value of this asset and the need to safeguard it closely. Start-up nonprofits often place a high value on the data because it serves as the launchpad for the organization in terms of fundraising, grants, volunteers, etc. Over time, the quality of the data diminishes as mission-focused organizations strapped for time lose track of the importance of data integrity.

For your organization, compliance means:

  • A complete inventory of all the systems where your organization stores electronic information
  • A review of the data being held
  • Managing data in accordance with the regulations, assigning roles and developing processes to ensure continued compliance and ongoing validation

On a larger scale, compliance with the GDPR presents a chance for your organization to refocus on the importance of data stewardship.

How can we help?

Fíonta has always focused on the importance of your data as a foundation for your organization. We can help you with data stewardship and GDPR compliance. Our consultants will help your organization in the following areas:


  • Catalog all systems collecting data
  • Review the practices of the organization for the collection of data
  • Review the accuracy of the data being collected


  • Review the existing policies regarding data governance
  • Align existing policies to general roles expected by the GDPR in terms of processing and controlling information
  • Review and align retention and backup policies
  • Review and align security controls and notification policies


  • Review existing communication policies including opt-in, opt-out, and CAN-SPAM compliance.
  • Modify and align existing policies to the GDPR
  • Create pro-active communications to the existing supporter base as needed

Need help with any of the steps above? Let’s get started together!