Section Navigation


General Data Protection Regulation (GDPR)

Data protection laws across Europe are undergoing their first substantial changes in approximately 20 years. The General Data Protection Regulation (GDPR), due to come into law on May 25, 2018 is at the center of the change and has received intense coverage across the non-profit sector and mainstream press. The rationale behind the changes is to bring aging data collection practices up-to-date and incorporate data protection, privacy mandates and best practices.

At Blackbaud, data protection and privacy are a priority. We continue to design new functionality that marry data compliance with fundraising best practice, and our new communication preference management features are designed to provide organizations with the tools they need to ensure their data collection and usage practices meet the requirements of GDPR, as part of your compliance process.

If you are an EU organization, please refer to our GDPR Toolkit and Collecting Consent Customer Hub for more information and GDPR resources.

If you are an organization outside of the EU, please refer to our FAQ below to find out more information about GDPR and whether you could be subject to it.

GDPR for Organizations Outside of the EU

While the GDPR is a European Union (EU) privacy law, organizations outside of the EU can also be subject to the GDPR. We have prepared a FAQ to help answer the often-complex questions surrounding GDPR compliance and developed a comprehensive set of resources to assist you in your GDPR compliance practices, should you determine that your organization needs to comply.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a European Union (EU) legislation that will be enforceable from May 25, 2018, replacing the aging Data Protection Act (DPA). It is designed to both strengthen and harmonize data protection across EU member states, and ensure organizations treat the personal data of individuals—supporters, customers, donors and constituents­­—with more respect and ultimately strengthen trust between organizations and individuals.

Who does the GDPR apply to?

The GDPR applies to any organization processing (collecting, recording, storying, using, disclosing, etc.) an individual’s personal data if the organization is either established in the EU, targeting in the EU, monitoring EU residents or performing these tasks as obligated via contract. Such organizations that are subject to the GDPR and collect, store or process personal data must comply with the GDPR’s Data Protection Principles and other conditions of processing. The GDPR makes no distinction between non-profit or for-profit organizations.

Does the GDPR only apply to EU organizations?

No. Organizations outside of the EU can also be subject to the GDPR if they hold or process personal data of EU citizens—regardless of whether the company is based in the EU or not—but only if they’re actively targeting EU residents by taking steps like using an EU language or currency or specifically advertising in the EU. Blackbaud cannot determine whether or not your organization must comply with GDPR, but our infographic Could You Be Subject to GDPR? may provide some guidance or be a good starting point for discussions with your organization’s legal counsel.

Could my organization be subject to the GDPR?

You could be subject to GDPR if your organization is:

  1. Established in the EU
    • GDPR will apply to controllers or processors established in the EU, regardless of where the processing occurs.
    • Established can be legal organization or where the processor exercises any real or effective activities through a stable arrangement in the EU.
  2. Targeting in the EU
    • Not established in the EU, but processing is related to offering goods or services to people in the EU.
    • The processor must be taking actions to target EU residents, like using an EU language or currency, advertising in the EU, using EU country top-level domain name etc.
  3. Monitoring EU Residents
    • Not established in the EU but processing is related to monitoring the behavior of people in the EU.
    • Monitoring is tracking individuals on the internet for purpose of analysis, including making user profiles to make decisions or predicts behaviors.
  4. Obligated via Contract
    • Not covered by the three points outlines above but is contractually obligated to comply with GDPR.
    • Organizations not subject to GDPR may agree to process data in accordance with its provisions.

How can I check if my organization is legally subject to the GDPR?

If you believe your organization could be subject to the GDPR, it is best to work with your legal advisor, who is familiar with your practices and constituents, to determine your obligations under existing laws. While the information provided herein is reliable, it does not constitute legal advice and should not be construed as legal advice or legal opinion. 

What are the GDPR data protection principles?

The data protection principles in the GDPR remain largely unchanged from those contained in the UK’s Data Protection Act of 1988. They feature prominently in the GDPR as the main tenets of data protection and privacy.

  • Lawfulness, fairness and transparency: Processing must be lawful, fair and transparent.
  • Purpose limitation: Personal data must be collected for specified, explicit and legitimate purposes and not further processed in an incompatible way.
  • Data minimization: Personal data must be adequate, relevant and limited to what is necessary to achieve the purposes for which it was collected.
  • Accuracy: Personal data must be accurate and kept up to date and collector must take reasonable steps to rectify or erase inaccurate data.
  • Storage Limitation: Personal data must not be kept in identifiable form for longer than necessary.
  • Integrity and confidentiality: Personal data must be processed in a way that ensures security of the data and protects it from unauthorized use.
  • Accountability: Controllers must demonstrate compliance with the Principles.

If I am an organization outside of the EU and subject to the GDPR, do I need to apply the GDPR compliance and consent practices to my full constituent base or to only those individuals in the EU?

If you are subject to the GDPR, after May 2018 you will only be able to process data of individuals in the EU in compliance with the GDPR (see following question below). If you're relying on opt-in consent as your legal basis for data processing under the GDPR, you will have needed to collect that consent before May 2018.

In regard to applying the GDPR compliance practices to your constituents located outside of the EU (for example such as those in North America), we cannot provide a definitive answer to that. However, as the industry becomes more stringent on security and compliance, ensuring proper consent of personal data is a best practice in general. You should confer with your Data Protection Officer or legal advisors to determine what your best practices and process should be here.

What are the 6 legal bases for processing data?

While much of the focus of the GDPR is on opt-in consent, there remain six lawful bases under which you can process data. You must decide which legal basis you are relying on for processing personal data for each of your activities and clearly document this. Aside from processing based on consent, GDPR provides that processing personal data can be lawful if it is necessary for the performance of a contract, to comply with a legal obligation, to protect a person’s vital interests, for the performance of a task carried out in the public interest or in the exercise of controller’s official authority, or for legitimate interests of the controller. For more information visit the Blackbaud’s datasheet on Important Impacts of GDPR.

What is Blackbaud’s role in relation to the GDPR?

Blackbaud is fully committed to data protection and ensuring our solutions are optimized for data compliance with fundraising best practice. We have consulted with a wide range of data protection authorities, customers, legal counsel and product development leadership since March 2016, and have continued to work on ways to improve the user experience in our solutions, specifically in regard to the capture, recording and use of your supporters’ consent.

New communication preference management features in our solutions are have begun to be released (beginning in Q4 2017 and continuing into 2018) and while we do not guarantee that the use of our solutions make an organization GDPR compliant, these tools are designed to assist with the compliance process.

What communication preference management features are going to be released in which products?

To find out more information on what features are being released in which releases of products, view our GDPR-related product roadmaps here.

How do I upgrade to the latest version of my Blackbaud solution to harness these new features?

If you are on a Blackbaud cloud or hosted solution and Blackbaud delivers updates for you, you will be able to a leverage market-leading communication preference management, in accordance with GDPR requirements, as soon as the features are available.

If you determine the upgrade schedule of your Blackbaud solutions, you will need to upgrade to the latest version of your products to avail of these new features.

If I upgrade to the latest version of my solution and make use of the new communication preference management features, will I be GDPR compliant?

No, simply upgrading does not make your organization compliant. The onus is on your organization’s internal data management practices to ensure compliance. Blackbaud’s new features are designed to assist your organization in your compliance efforts, such as enabling you to collect and evidence opt-ins and opt-outs in a GDPR-compliant way.

Where can I learn more about the GDPR and collecting consent?

Blackbaud have developed a comprehensive library of resources to support your organization’s GDPR compliance practices which can be found on our two GDPR hubs:

Additional materials you can find across these hubs include:

We at Blackbaud respect your concerns about privacy and value the relationship we have with you.   These Principles set forth Blackbaud’s requirements for complying with the Australian Privacy Principles (APPs) that go into effect on March 12, 2014.

For purposes of this Notice, "Personal Information" means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an Australian consumer, customer, supplier or other individual (excluding Blackbaud employees) (hereinafter “Individual”), whose identity is apparent, or can reasonably be ascertained, from the information or opinion.  This Policy applies to Individuals.

APP 1 – Open and Transparent Management of Personal Information

Blackbaud has ongoing practices and policies in place to ensure that it manages personal information in an open and transparent way.   This Policy is freely available on Blackbaud’s website.  An Individual may also obtain a copy and/or complain about a breach of the APPs  by contacting us as specified below.

Blackbaud collects certain Personal Information such as name, email address, postal address and telephone number of an Individual.  

Blackbaud processes some Personal Information in the United States and Australia.

APP 2 – Anonymity and Pseudonymity

You have the right to deal with Blackbaud without using your true name, but in so doing you may prevent us from sharing free content with you or providing you with other services. 

APP 3 – Collection of Solicited Personal Information

Blackbaud will not knowingly collect Personal Information about you unless the information is reasonably necessary for one or more of Blackbaud’s functions or activities.   Blackbaud collects information on Individuals from those Individuals unless it is unreasonable or impractical to do so.  In addition, we will not knowingly collect Sensitive Personal Information about you without your consent; for purposes of this Policy, Sensitive Personal Information includes:>

  • racial or ethnic origin;
  • political opinions;
  • membership in a political association;
  • religious beliefs or affiliations;
  • philosophical beliefs;
  • membership in a professional or trade association;
  • membership in a trade union;
  • sexual preferences or practices;
  • criminal record; or
  • health/genetic/biometric information.

APP 4 – Dealing with Unsolicited Personal Information

When Blackbaud receives unsolicited Personal Information, it will determine whether it would have been permitted to collect the information under APP 3, above.  If so APP 3 applies to that information.  If the information could not have been collected under APP 3, the Blackbaud will destroy or de-identify that information if it is lawful or reasonable to do so.

APP 5 – Notification of the Collection of Personal Information

At or before the time (or, if that is not practicable, as soon as practicable after) Blackbaud collects personal information about an Individual from the Individual, Blackbaud notifies the Individual about the purposes for which we collect and use Personal Information, the types of third parties to which we disclose the information, the choices Individuals have for limiting the use and disclosure of their information, and how to contact us about our practices concerning Personal Information.

APP 6 – Use and Disclosure of Personal Information

Blackbaud will not use or disclose Personal Information for purposes other than those for which it was collected except in accordance with the “permitted general situations” under Section 16a of the APPs, in accordance with “permitted health situations” under Section 16b of the APPs, or as otherwise required or permitted by law.  Blackbaud may use or disclose Personal Information for “secondary purposes” in accordance with Section 6 of the APPs  (formerly Section 2 of the National Privacy Principles).

We use Personal Information of Individuals (i) to respond to your requests, (ii) to evaluate the quality of our products and services, (iii) to communicate with you about our products, services and related issues, (iv) to notify you of and administer offers, contests, sweepstakes and other promotions, and (v) for internal administrative and analytics purposes and to comply with our legal obligations, policies and procedures.

Blackbaud Pacific uses third party providers on occasion to assist in the provision of marketing services. These providers have confidentiality agreements with Blackbaud and adhere to all relevant data privacy requirements and include:


APP 7 – Direct Marketing

Blackbaud will comply with the APPs and other relevant legislation in connection with direct marketing to Individuals.

APP 8 – Cross-Border Disclosures

When information subject to the APPs is transferred by Blackbaud to the United States, it will remain subject to the protections of this Policy, in the same way as recorded information from the European Union transferred to the US is subject to the Safe Harbor Principles accepted by the European Union, under which Blackbaud self-certifies.

APPS 10 – Quality of Personal Information

Blackbaud takes reasonable steps to ensure that Personal Information collected by Blackbaud is relevant for the purposes for which it is to be used and that the information is reliable for its intended use and is accurate, complete and current.

APP 11 – Security of Personal Information

Blackbaud maintains reasonable administrative, technical and physical safeguards to protect Personal Information from loss, misuse and unauthorized access, disclosure, alteration and destruction.

APP 12 – Access to Personal Information

Blackbaud provides Individuals with reasonable access to the Personal Information maintained about them. We also provide a reasonable opportunity to correct, amend or delete that information where it is inaccurate. We may limit or deny access to Personal Information where providing such access is unreasonably burdensome or expensive under the circumstances, or as otherwise permitted by the APPs. To obtain access to Personal Information, Individuals  may contact Blackbaud as specified in the "How to Contact Us" section of this Policy.

APP 13 – Correction of Personal Information

Blackbaud takes reasonable steps to ensure that Personal Information collected by Blackbaud is relevant for the purposes for which it is to be used and that the information is reliable for its intended use and is accurate, complete and current.   Individuals may correct their Personal Information whenever necessary.   To correct their Personal Information, Individuals  may contact Blackbaud as specified in the "How to Contact Us" section of this Policy.

How to Contact Us

Please address any questions or concerns regarding our practices concerning Personal Information by:

Contacting us through our website: Click here,  or

Writing to:


Attention: Law Department

2000 Daniel Island Drive

Charleston, SC, 29492-7541



The Policy may be amended from time to time in compliance with law and the APPs.    Please check this Policy for updates.

This Policy was last updated and posted on January 10, 2014.

Blackbaud Safe Harbor Privacy Notice

Safe Harbor
Websites to which this Safe Harbor Privacy Notice ("Notice") applies are United States-based websites and are subject to United States law. Laws related to Personal Data vary by country. For example, Personal Data collected in the European Union is subject to laws based on the European Union Data Protection Directive. Blackbaud, its subsidiaries and affiliates (“Blackbaud”) are certified under the Safe Harbor privacy framework as set forth by the U.S. Department of Commerce regarding the collection, storage, transfer, use and other processing of consumer customer, supplier and other Personal Data transferred from the European Union and Switzerland to the United States.

Click here to view our Safe Harbor Privacy Notice.


Serving the nonprofit, charitable giving, and education communities for more than 30 years, Blackbaud (NASDAQ:BLKB) combines technology solutions and expertise to help organizations achieve their missions. Blackbaud works in over 60 countries to support more than 30,000 customers, including nonprofits, K–12 private and higher education institutions, healthcare organizations, foundations, and other charitable giving entities, and corporations.

Privacy Policy Safe Harbor Notice Terms of Use Acceptable Use Policy General Data Protection Regulation Sitemap
© 2017 Blackbaud, Inc. All Rights Reserved