FundSvcs Community

Expand all | Collapse all

Compliance question

  • 1.  Compliance question

    Posted 10-26-2021 10:34 AM

    Hi Everyone - I'm wondering if there are a set of standards or best practices for email and/or hard mail compliance. We send out fundraising solicitations, newsletters, and general information. This goes out both domestically and internationally.


    We are aware of the GDPR laws and suppress most addresses in these countries as well as the UK, China, Canada. Are there other countries that have data privacy laws?

    Similarly, we understand that there are several states domestically that have laws pending. Do we need to suppress any constituents domestically? Does anyone have a list or set of standards that they use? We would be very excited to start a group to track these types of compliance-related considerations. Please let me know if anyone has information that we can reference.

    ------------------------------
    Marta Kostrzewa
    Finance and Administration Manager
    Pratt Institute
    mkostrze@pratt.edu
    ------------------------------


  • 2.  RE: Compliance question

    Posted 10-26-2021 11:42 AM
    Hi Marta,

    In terms of tracking the laws, I use https://iapp.org/resources/article/us-state-privacy-legislation-tracker/ and the linked comparison table. 

      Specifically as regards sending email or paper mail, the state laws don't regulate (and as I understand it, are not permitted to regulate) the sending of communications. They regulate how data about their citizens is stored, used, and guarded. The requirements stemming from those laws relate to which data you collect, how you store it, whether you sell it, your obligations in case of breach, etc. None of that is really impacted by whether you actually use the email or not. Suppressing sends to your NY addresses doesn't relieve you of the provisions of NY SHIELD.

    A really excellent review of the relevant laws and guiding policies/best practices can be found as a PDF here https://www.bdo.com/BDO/media/Webinar-Handouts/BDO-Navigating-Data-Privacy-and-Cybersecurity-for-Nonprofits.pdf It dates back to the end of 2019, so, for example, NY SHIELD is now law, but it does a great job of distilling the key ideas and practices that can guide you.


    Thank you,
    Isaac Shalev
    Data Strategy Expert
    Sage70, Inc.
    (917) 859-0151
    isaac@sage70.com

    Schedule a 30-minute consultation now:






  • 3.  RE: Compliance question

    Posted 10-26-2021 11:57 AM
    In addition to these good points, keep in mind that these regulations do not necessarily preclude your ability to communicate with constituents if they have offered consent or opted in.

    When it comes to State regulations, some have been written explicitly pertaining to commercial enterprises.  Nonprofit organizations might be automatically exempt or exempt if the nonprofit has an existing relationship with the constituent.

    I see more organizations assigning the role of "Compliance Officer" to someone within the Advancement office.  Not only do we have these privacy issues, but there's also the IRS, FASB, FERPA, HIPAA, and even CASE.  Having one individual responsible for ensuring compliance - and providing that person with necessary resources and professional development opportunities - is worth consideration, especially in larger organizations.

    John

    John H. Taylor
    Principal
    John H. Taylor Consulting, LLC
    2604 Sevier St.
    Durham, NC   27705
    919.816.5903 (cell/text)

    Serving the Advancement Community Since 1987