GDPR for Nonprofits

GDPR (General Data Protection Regulation) is the EU’s comprehensive data privacy law that applies to any organization — including US nonprofits — that processes personal data of people in the EU or UK, regardless of where the organization is based, with substantial fines for non-compliance.

When GDPR applies to a US nonprofit

• You accept donations or membership signups from EU residents.
• You run advocacy campaigns or petitions targeting EU audiences.
• You publish content that profiles EU users (analytics tracking, ad personalization).
• You partner with EU-based organizations and process shared constituent data.

What GDPR practically requires

• A lawful basis for every data processing activity (consent, contract, legitimate interest).
• Privacy notice describing what data is collected, why, how long it’s kept, and who else sees it.
• Mechanisms for data subject rights: access, correction, deletion, portability, objection.
• Data Processing Agreements (DPAs) with every vendor that touches EU personal data.
• Breach notification within 72 hours.
• Privacy by design — privacy considerations baked into how systems are architected, not retrofitted.

Where it shows up in WordPress work

Cookie banners that actually respect consent (not the dark-pattern “reject all” UI), forms that capture lawful basis, donor and member records that can be exported on request, and contractual DPAs with every plugin that processes personal data — including analytics, email marketing, and CRM integrations.