General Data Protection Regulation (GDPR)

At Gravyty, data privacy and security are at the core of our business. We take these responsibilities seriously and are diligent about protecting the data of our customers.

As of May 25, 2018, substantial changes to data protection are coming through the rollout of General Data Protection Regulation (GDPR), a new regulation in the European Union (EU). GDPR has been top of mind for mainstream press, the nonprofit sector, and us. We will continue to build features to ensure that our clients are able to maintain compliance with the regulation.

Organizations Based Outside of the EU

While GDPR is set forth by the EU, the impact of GDPR may reach non-EU organizations. As a result, we have prepared the following helpful considerations, should you determine that your organization needs to comply.

GDPR Overview

The General Data Protection Regulation (GDPR) is a European (EU) regulation that becomes effective on May 25, 2018. It is designed to replace existing, outdated European data protection legislation and ensure organizations treat data about Europeans in a more secure manner, focused on the privacy rights of these individuals, whom the law refers to as “data subjects”. For nonprofits, these data subjects may include employees, supporters, customers, donors, and constituents - essentially any European person about whom you hold personal data.

You can read specifics about the regulation and the data protection principles here:

To whom does GDPR Apply?

The GDPR applies to organizations processing (collecting, recording, storying, using, disclosing, etc.) personal data if the organization is established in the EU, targeting individuals in the EU, monitoring individuals in the EU, or performing these tasks as obligated via contract. Organizations that are subject to the GDPR and that collect, store or process personal data must comply with the GDPR’ s Data Protection Principles and other conditions of processing. The GDPR applies to both for-profit and nonprofit organizations

Non-EU organizations can be subject to the GDPR if they actively target individuals in the EU by, for example, actively advertising in the EU, using an EU language, or accepting payments in an EU currency.

Gravyty cannot determine whether or not your organization is subject to GDPR but is committed to ensuring that our services help our clients fulfill their compliance obligations, as determined by their legal counsel.

How Can I Determine if My Organization Is Subject to GDPR?

To determine eligibility, it is best to work with your legal counsel to determine your obligations. The information on this page is provided as guidance but is not legal advice or legal opinion.

What is Gravyty’s Role in Assisting our Customers Compliance with GDPR?

At Gravyty, data privacy and security are at the core of our business. We are diligent about protecting the data of our customers.

In our relevant services, new communication and data management features are being released to assist our clients with their GDPR compliance obligations. We do not guarantee that the use of these features will make an organization compliant; rather, we have designed these features and documentation to assist with your compliance process.

How will GDPR impact Your Organization in the Future?

That nature of the regulation, and enforcement of its articles, will evolve after the go-live date of enforcement on May 25, 2018. As clarity around GDPR increases, we remain committed to ensuring our full support of clients in ensuring compliance and the respectful use of individual data.

Further Information

General inquiries about GDPR in relation to the use of Gravyty services should be emailed to with the subject ‘GDPR Inquiry’ or discussed with your Account Manager.