With a growing global emphasis on privacy regulation, organizations must carefully evaluate how they handle personal information.
Not-for-profit organizations often work with individuals in sensitive situations while providing services and collecting personal information from their donors, both of which require discretion and care of data. Therefore, it is important for organizations to stay abreast of updates to Privacy Acts like PIPEDA, PIPA and GDPR.
What are PIPEDA and PIPA?
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s federal data privacy law for private sector organizations. The Personal Information Protection Act (PIPA) is the provincial version of PIPEDA (collectively the “Acts”). The Acts are substantially similar, so while it is important to understand which applies to your organization, the end results are quite similar.
Among other things, the Acts require organizations collecting, using, or sharing personal information in the course of commercial activities to:
- gain consent for its collection,
- take reasonable security measures to keep it safe, and
- limit its disclosure
As of November 2018, organizations must also comply with certain obligations surrounding the recording and reporting of data breaches.
Why PIPEDA and PIPA Matters for Not-For-Profit Organizations?
With PIPEDA governing commercial activities, charities and not-for-profits are often unclear as to if or how the Act affects them. The first thing you should understand is that your NPO is not automatically exempt from PIPEDA since “commercial” is defined by activity - not by an organization’s tax status.
Many charities, for example, rely on the sale of goods or services to earn revenue. Selling or leasing fundraising lists also falls under the heading of commercial activity.
Because non-compliance in not-for-profits is frequently determined on a case-by-case basis, the safest approach according to legal experts is to err on the side of caution. Assume that, as a charity or NPO in Canada, PIPA or PIPEDA may apply to your organization and consider taking steps to voluntarily bring your privacy policies and procedures into compliance.
What is GDPR?
The General Data Protection Regulation (GDPR) was implemented across the EU in May 2018 as a way to standardize data protection and privacy laws. It essentially:
- strengthens data protection rights for EU residents,
- imposes strict requirements on organizations that collect, use, disclose, or store personal data, and
- penalizes organizations for non-compliance
Despite being an EU-driven law, the GDPR impacts organizations worldwide. With so many Canadian charities and non-profits processing so much donor and client information, accountability in terms of privacy matters has increased considerably.
Why GDPR Matters for Not-For-Profit Organizations?
According to EDPB (European Data Protection Board) Guidelines, even if your Canadian charity or not-for-profit isn’t established within the EU, if your actions target EU residents, you must comply with the GDPR.
Targeting basically means your organization:
- processes the personal data of EU residents to offer them goods or services, or
- monitors their behaviour within the EU
The GDPR can require you to appoint a representative within the EU to oversee your compliance, and failing to do so could open your organization to significant fines.
Overall, volunteering to comply with PIPEDA and GDPR regulations is the most effective approach for:
- safeguarding your NPO’s reputation,
- preserving stakeholder confidence, and
- overseeing legal and financial liability
Legislative obligations aside, your donors, clients, and staff look to you to protect their personal information, be accountable for its use, and keep it from falling into the wrong hands.
Understanding your organization’s role in terms of cyber security - and what to do in the event of a data breach - is one way to maintain their trust while also avoiding potential penalties.
Webinar: Foundations of Cyber Security for Non-Profits
Hosted by Michael Argast and Alex Oulton, our upcoming webinar will provide guidelines and reasonable measures that non-profits can take to ensure their systems and data are secure and more. During the webinar, you'll learn about:
- The common threats that not-for-profits face in cyber security
- Simple steps and affordable tools your organization can use to reduce the risk of a cyber attack
- Where to get help in case of a breach
- Considerations to safeguard your community of interest, staff, and donors
The webinar session will be approximately 40 minutes, with time at the end for a live Q&A. If you can’t attend the live webinar session, you can still register and receive a recording of the webinar after.