When new European privacy regulations go into effect 25 May, fundraising institutions in Europe will face the big task of ensuring the personal data they collect is in compliance. Though the General Data Protection Regulation does present challenges, it also offers some opportunities, according to one development expert.

"The way university fundraisers handle the personal data of alumni and other supporters is key to cultivating confidence and trust. It's something we all should want to do well—privacy by design should be our natural state. It's just that we now need to document how we do it in our fundraising systems and processes," writes Kerry Rock, director of business development at Prospecting for Gold, in the March/April issue of Currents.

But, as Rock elaborates, GDPR also presents a unique opportunity for institutions.

"Because we have to better communicate what we do with data we collect, GDPR affords us an opportunity to educate our constituents about the role of philanthropy in our missions," writes Rock. "The principles of GDPR—including the idea that the data we gather should be accurate, relevant and minimal—force us to think about the information we really need, which should improve our efficiency and effectiveness."

Rock offers key takeaways for institutions preparing to enter the world of GDPR.

1. GDPR affects institutions worldwide. If your organization communicates with alumni in Europe or conducts prospect screening there, GDPR applies to your institution, writes Rock. While the fines for violating GDPR may not be worrisome, your constituents can still complain about communications, or regulators could review privacy statements online. Review your privacy policies with this in mind, Rock writes.
2. Get your data together. To better manage new data regulations, Rock recommends setting a plan to control data housed in every department at your institution. Start by conducting a data-mapping exercise to determine what data is being stored and where. Then examine the data the institution is allowed to keep in the file. Without legitimate interests, some information, like religion, should be removed.
3. Be transparent with donors. Under GDPR, your institution must make available the information maintained about every donor. A donor can also request information about how the data was obtained and who has reviewed it, which is a reminder to be careful about what is included in files, writes Kerry. 

This article is from the April 2018 BriefCASE issue.