GDPR for Nonprofits & Grant Writers

Hey guys! I know we are a bit off-topic today from “How to Find Grants” (and we will definitely continue), but with the time-sensitivity of the new regulations for the General Data Protection Regulation, which you have probably heard of coined the GDPR, I wanted to give some resources for nonprofits and grant writer consultants

Full disclaimer: I am not a lawyer, and this podcast is for informational purposes only; it is not intended to act as legal advice. Please consult with legal counsel to determine how GDPR may impact your organization.

However, if you are interested, I do have a lawyer that said she would come on the podcast. Just let me know by sending an email to [email protected].

I have done a lot of research, listened to lawyers, read articles, and talked to other online businesses. What I have learned about the GDPR is that it is an evolution. For example, we are now past the May 25th implementation date, but there have been no cases so it is hard to see what the interpretation of the law will actually be.

In today’s blog, we will talk about what the GDPR is, why it doesn’t just affect the EU, what the impact is on nonprofits and on grant writing consultants, and give you some free downloadable templates.

If you would like a template for privacy policy and some steps for GDPR compliance, please click here (you do not need to provide your email).

So, just what is the GDPR?

Now, some of you may be scratching your heads when I mention GDPR. Although, if you are in the EU, then you have probably been running around like it’s Y2K. Remember the turn of the century panic? Yep, I hear it’s a lot like that. But chances are, you have seen an increase of emails in your inbox over the last week with companies or people asking you to check a box giving them permission to email you or asking if you’d like to remain on their email lists. This is all due to the new European regulations or GDPR.

So what is it? Firstly, the GDPR regulation was not a knee-jerk reaction and did not happen overnight. Well, okay it was implemented overnight, but this wasn’t due to push back on all the Facebook controversy of late. The GDPR privacy regulation has had a two-year transition period as it was approved and adopted by the EU Parliament in April 2016.

Furthermore, the data protection privacy law has been in effect since 1980 when the Organisation for Economic Co-operation and Development published its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

As we know, the technology landscape is very different from the 1980s. The influx of social media platforms, the exponential number of people online, as well as prevalent data collection platforms like MailChimp and Aweber have all created easier ways for people to collect, store, and disseminate personal information.

I remember when, just several years ago, buying ‘likes’ on Facebook as part of transparent marketing strategies. People would include ‘buys” for 5,000 likes on Facebook or whatnot in their branding packages. Thankfully, in the last couple of years, we have transitioned away from the number game and gotten more into quality engagement, organic reach, and true followers. But there are many organizations out there that still operate on the quantity system and collect and sell that information without the user’s permission.

So the GDPR is now actively providing a legal strong-arm against data privacy misuse and has the mission to, “protect and empower all EU citizen data privacy and to reshape the way organizations across the region approach data privacy.”

Why would GDPR affect you?

Yes, the GDPR is an EU regulation and applies to organizations located within the EU. However, it also applies to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, people within the EU. It also applies to all organizations processing or holding the personal data or people that reside in – or are traveling within – the EU, regardless of the location of the organization.

Note that goods do not have to be items you sell, but can be marketed items like newsletters. Let me reiterate that I am not a lawyer, but how I interpreted the GDPR regulation – and how others that are knee-deep in researching this regulation have interpreted the GDPR – is that it isn’t meant to reduce access to services for EU citizens but to reduce the rate of breaking data privacy. I mean, who wants spam that they didn’t sign up for? Nearly all of us have been sent emails or gotten phone calls when we did not give our contact information. This is annoying and does not even get into deeper invasive issues.

So I kind of freaked out, as I do have people from the EU who can purchase my grant writing courses, books, or join my membership. I certainly do not want to take them off my membership or not have resources available to them just because they live in the EU.

I know that, as a nonprofit or consultant, you would not want to do this either. Or – if you are in the EU – you may not want to be removed from lists that you signed up for or be marginalized from services. At the same time, I (as I am sure you do) want to reduce any risk of violating the regulation and getting fined (more about that in a minute)!

But, Holly, I’m based in the States. Why should I pay attention to this?

In the world of Instagram, Facebook, Twitter, and so on, chances are that you have followers from all over the world. If you have a website, which all of you should at some point, then people from outside of the States may be looking at your website. You want your nonprofit or grant writing consultancy to be known. Maybe your nonprofit offers scholarships for foreign exchange programs with European/US students serve orphanages in Hungary, or simply has a lot of followers from all over the world.

Maybe your consultancy serves nonprofits overseas and sells products online. Or possibly, just possibly, you have some people on your list that travel to the EU and receive an email from you while traveling. These are definitely things to consider. The GDPR regulation does not exempt any business, nonprofit, or individual from this regulation. All organizations that have collected personal data of EU citizens — whether they are employees, donors, volunteers, or beneficiaries — are affected and will be responsible for GDPR compliance.

The pure IT nature of this regulation makes it a global concept at the very least. Rashmi Knowles, chief technology officer at RSA Security states that,

“GDPR is interesting because it is the first time that the EU is exporting regulation. In the past, everything created by the EU applied to the EU. Now we have this regulation, but it is going to apply globally. If anybody wants to use the data of EU citizens or consumers, they have to comply, so it is exporting privacy rules to other countries.”

Knowles goes on to say that,

“Because GDPR is having so much prominence in what organizations around the world are doing to meet data protection requirements, it is becoming the de facto global legal framework.”

This is definitely happening. Some countries are already stepping into compliance. According to Robert Bond, Data Protection Network chairman and partner at legal firm Bristows,

“Japan has been following developments closely and is looking to make its data laws compatible with European legislation.”

He continued to state that Singapore regulators are following GDPR closely to ensure that they have an advantage in the new era of data collection.

“When you look at GDPR, it says that you can’t transfer data to another part of the world that isn’t deemed to have adequate protections for the rights of individuals or a decent law,” Bond stated. Another forward thinking country is South Africa, which developed a new data privacy law modeled on European legislation.

That being said, other countries are waiting to see how the GDPR plays out, so they know how to move forward in their own data protection privacy regulations.

As I stated above, this really is an evolutionary process of the interpretation of the GDPR right now, which will become more clear once court cases are tested.

What are the penalties for non-compliance?

According to the GDPR regulation, there are hefty fines for non-compliance of GDPR.

Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.

It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.

You are probably a data controller or processor

A data controller does not necessarily mean an academic who runs sophisticated data collection software; it can simply mean a person who keeps email addresses. The actual definitions of a data controller and data processor are as follows:

The data controller is the entity that determines the purposes, conditions, and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.

What this definition actually translates to is the person who collects and keeps information. For example, if your nonprofit has a call to action on your website, app, or phone for donors to give to your nonprofit and then you collect email addresses/phone numbers/names and so forth, you are a data collector. Maybe you run fundraisers or crowdfunders where you collect email addresses and then send out reminder emails or keep them on your mailing list for future emails.

If you are a freelance grant writer or run a grant writing company, and you collect emails, names, or phone numbers via your website, social media, or even in person, then you collect personal data. Many of you may use platforms, such as MailChimp or Aweber, and insert your email addresses into this online software. These are actually great sources to use as they keep the personal information in clear areas, easily allow subscribers to unsubscribe, and store your data in user-friendly systems.

So should you stop collecting data? No! Keep collecting data, but make sure you do it in compliance with the GDPR.

How to become compliant with GDPR

As stated a few times already, this may change as the regulations are played out over time. But, for now, it’s easier to keep in mind the following:

Be very clear and transparent with subscribers on what they will receive when joining your email list.

  • Never give subscribers’ emails or personal information to anyone else
  • Your list should only receive emails from you
  • Make sure your privacy policy is easy to see
  • Subscribers should be able to unsubscribe easily – and this should be clearly seen and readily accessible
  • Do not include pre-ticked boxes of subscriber consent

It has become very fashionable to have ‘lead generators’ to attract subscribers to your email list. This could be in the form of a free download, a quiz, etcetera. You can absolutely still do this, but if you only include the language of “Download this Free PDF,” then all you can email is that specific Free PDF: you cannot include follow-up marketing for other products, future launches, etc. In that way, the value of giving away things for free (with no follow-up marketing) takes away much of the point for giving out free items as lead generators.

With this said, many people are now going back to the good ole’ newsletter approach. For example, we just released a new free downloadable resource – The Funding Toolkit: Top 10 Tips to Position Nonprofits for Funding. This was done pre-GDPR implementation date. Now I have changed the language and look of the lead generator to be included as a bonus gift within the Grant Writing & Funding Free Membership.

So it really is pretty simple. On the back-end, I do need to make sure I am in compliance with the data controlling regulations. I use MailChimp and BookFunnel which are large platforms where they do a lot of this for me. Yay! So if any person from the EU asked me where their email was kept and what I was doing with it, I could find it on these platforms and send them a snapshot of where their data was hosted, what list they joined, what date they joined, and so forth.

Another thing to consider, if you have a mailing list, is that you provide double opt-in. In the second opt-in form that is emailed to the subscriber, you can list what they will get when they confirm their email address. Also, be sure to include your privacy policy link and an unsubscribe button, as they are not subscribed until they click on the double opt-in.

Are you at risk of non-compliance?

The risk of non-compliance is there if you do not adhere to the above information. What is your specific risk? This regulation was put into effect to really stop the mass scale of selling personal privacy data. So if you run a small nonprofit of less than $250,000 annual operating budget in the States, you may not be at high risk for being in non-compliance with GDPR. If you are a free-lance grant writer who only serves nonprofits in the States, then your risk is very low.

Really, the advice I am hearing in the States so far is very mixed. Some organizations are going full-force overboard GDPR and erasing their email lists for anyone who did not click ‘yes, keep me subscribed’ in response to the frantic email that was sent out last week. For many people, that is really not the intent of the regulation. Others are still completely in the dark about GDPR and carrying on with old-style fashion.

Honestly, I think that if you tweak your language on any sign-up form, whether that be on apps, social media, website, in-person events, etcetera, then you will have several advantages.

  1. Your nonprofit or organization will become clear with what you are giving subscribers.
    • This simple initiative might help you identify what sort of content you want to share with your donors, volunteers, members, or clients.
  2. You will get fewer, yet better quality leads.
    • For example, some people (okay, a lot) may just sign up to get your free download or take the free quiz on what type of sea animal they are, but never even open subsequent emails. So now that they know you will be sending other emails, they may not sign up. That is fine for you as they weren’t really interested in becoming a part of your community before and because of the pure numbers you may have been paying for them to be on your list. MailChimp is free until you reach 2,000 subscribers. What if you have 2,500 subscribers now, and – if you deleted those who don’t open your email – you are at 1,500 subscribers? Then your MailChimp would be free and your open rate and conversion rates would increase and become more real.
  3. You are on the road to potential compliance with new regulations.
    • In this way, you will be one step closer to potential future regulations and will be more prepared.
  4. You can serve EU customers/followers.
    • What if all of a sudden the nonprofit started working more in the EU or if you started getting EU clients? You would be fully prepared and compliant with regulations. You may not think that would ever happen, but you never know. If your nonprofit does emergency work and suddenly there was a crisis in Europe, you may do some work there and start connecting online with EU citizens.


To share your thoughts:

Send Holly an email at

To help out the show:

Leave an honest review on iTunes. Your ratings and reviews really help, and I read all of them!

To learn more and increase your skills:

Click here to check out Holly’s Signature Courses

To pick Holly’s brain:

Click here to book your 1:1 Call with Holly


Download one of Grant Writing & Funding’s free resources to achieve, advance, & accelerate your funding skills.