Last September, the president of a suburban PTA got an email that made her stomach drop. A parent had written a polite but firm message: "Under the GDPR, I'd like to know exactly what personal data you hold on me and my children, and I'd like it deleted." The PTA president stared at her screen. She knew they had a Google Sheet with parent names, emails, phone numbers, and children's names and grades. There was also a PayPal account with transaction histories, a WhatsApp group with years of messages, an old Mailchimp list from a fundraiser three years ago, and a signup form from a bake sale that collected home addresses for delivery. She had no idea where all the data was, who had access to it, or whether she was even allowed to have most of it. She definitely didn't know what the GDPR required her to do next. That moment of panic is happening in community organizations everywhere -- PTAs, sports clubs, parish councils, neighborhood associations, alumni groups, scout troops. Data privacy law isn't just for tech companies anymore. If your organization collects personal information about members, you have legal obligations, and the good news is they're more manageable than you think.
What the GDPR Actually Is (and Why It Applies to You)
The General Data Protection Regulation is a European Union law that went into effect in May 2018. It governs how organizations collect, store, use, and share personal data of individuals in the EU. But here's what catches most community leaders off guard: the GDPR doesn't have an exemption for small organizations, nonprofits, or community groups. It applies equally to a multinational corporation and your local choir.
If even one of your members lives in the EU -- or if someone from the EU visits your website and submits their email -- you're potentially in scope. And even if you're a purely domestic US organization, the GDPR matters because it has inspired a wave of similar privacy laws worldwide, including in US states like California, Colorado, Delaware, and Oregon.
The core idea is straightforward: people have the right to know what data you hold about them, why you have it, and what you're doing with it. They also have the right to ask you to correct it, delete it, or hand it over in a portable format. Your job as a community organization is to respect those rights and handle personal data responsibly.
What Data Are You Actually Collecting?
Most community organizations collect far more personal data than they realize. Take a minute and think about what your group has accumulated over the years:
- Member directories with names, emails, phone numbers, and home addresses
- Payment records from dues, donations, event tickets, and fundraisers
- Children's information including names, ages, grades, allergies, and medical conditions
- Event registration forms with dietary preferences, accessibility needs, and emergency contacts
- Communication archives in email lists, WhatsApp groups, Slack channels, and social media
- Photos and videos from events that may include identifiable individuals and their children
- Volunteer records with availability, skills, background check results, and driving license details
That's a lot of sensitive information, and much of it is probably scattered across personal devices, cloud accounts, and spreadsheets that multiple people have access to.
The first question to ask is not "how do we protect all this?" but rather "do we actually need all this?" The GDPR's principle of data minimization says you should only collect and keep personal data that's genuinely necessary for a specific, stated purpose. If you're collecting home addresses but never mail anything to members, stop collecting home addresses. If you have event signups from three years ago, delete them.
Lawful Bases: Why Are You Processing This Data?
Under the GDPR, you need a legal justification for every piece of personal data you process. There are six lawful bases, but community organizations typically rely on three:
Consent is the most familiar one. A member actively agrees to you using their data for a specific purpose. This is what you need for things like marketing emails, newsletters, and photo sharing. Consent must be freely given, specific, informed, and unambiguous. A pre-ticked checkbox doesn't count. Burying consent in a wall of terms and conditions doesn't count. Adding someone to a mailing list because they attended an event doesn't count. You need a clear, affirmative action -- "Yes, I'd like to receive the monthly newsletter" -- and you need to make it just as easy to withdraw consent as it was to give it.
Legitimate interest is more flexible but requires more thought. You can process data without explicit consent if you have a legitimate reason that doesn't override the individual's rights and privacy. For example, a sports club keeping a roster of team members and their positions, or a neighborhood association maintaining a directory of residents who have opted in. But you need to conduct a balancing test: is your interest in processing the data proportionate, or does it unfairly impact the individual? Sending a member a reminder about their upcoming dues renewal is probably legitimate interest. Sharing their email with a third-party sponsor without telling them is not.
Contract performance applies when processing data is necessary to fulfill a contractual obligation. If someone pays membership dues, you need their payment details and contact information to manage that membership. This basis covers the administrative basics of running an organization.
Here's the practical takeaway: for each type of data you collect, you should be able to point to one of these bases and explain it in plain language. If you can't, you probably shouldn't be collecting that data.
Member Rights and How to Handle Requests
The GDPR gives individuals several specific rights regarding their personal data. When a member exercises one of these rights, you generally have one month to respond. Here are the ones most relevant to community organizations:
Right of access. Any member can ask what personal data you hold about them. You need to provide a copy of their data along with information about why you have it, who you've shared it with, and how long you plan to keep it. That PTA president from the opening? She needed to search every spreadsheet, email list, payment system, and group chat to compile a complete response.
Right to rectification. Members can ask you to correct inaccurate data. If someone's phone number or address has changed, update it promptly.
Right to erasure (the "right to be forgotten"). Members can ask you to delete their personal data. You must comply unless you have a legal obligation to retain it (like financial records for tax purposes). When someone leaves your organization and asks to be removed, remove them from everything -- not just the active member list, but the old spreadsheets, the email archives, the event photos on your website.
Right to data portability. Members can ask for their data in a commonly used, machine-readable format so they can transfer it elsewhere.
Right to object. Members can object to specific uses of their data, particularly for direct marketing. If someone says "stop emailing me," that's not just a preference -- it's a legal right under the GDPR.
The most important thing is don't panic when you receive a request. Acknowledge it promptly, verify the person's identity, gather the requested information, and respond within the one-month deadline. Document everything. Most requests from community members are straightforward -- they just want to know what you have or want to be removed from a list.
Practical Compliance Steps
You don't need a law degree or a five-figure budget to comply with data privacy regulations. Here's a practical roadmap:
Step 1: Conduct a data audit. List every type of personal data your organization holds, where it's stored, who has access to it, and what it's used for. This is usually eye-opening. Most organizations discover data in places they'd forgotten about -- an old treasurer's personal laptop, a former leader's Dropbox, a deactivated email account that still has years of correspondence.
Step 2: Write a privacy notice. This doesn't need to be a 20-page legal document. A clear, one-page notice should explain: what data you collect, why you collect it, the legal basis for processing, who you share it with, how long you keep it, and how members can exercise their rights. Post it on your website, include it in your membership forms, and make it easy to find. Use plain language, not legal jargon. Say "we keep your email address so we can send you event updates" instead of "personal data is processed for the purposes of legitimate organizational communications."
Step 3: Fix your consent mechanisms. Review every place you collect data -- signup forms, event registrations, newsletter subscriptions, website contact forms. Make sure each one has a clear, affirmative consent mechanism where applicable. Add an unsubscribe option to every marketing email. Stop adding people to lists they didn't ask to join.
Step 4: Establish a retention policy. Decide how long you'll keep each type of data and stick to it. A reasonable approach: active member data stays as long as they're members. Financial records stay as long as legally required (often 6-7 years for tax purposes). Event registration data gets deleted within a few months after the event. Data from former members gets deleted within a reasonable period after they leave, unless they've consented to stay in touch. The key principle is don't keep data "just in case."
Step 5: Implement access controls. Not everyone in your organization needs access to all member data. The events coordinator needs the events email list, not the full member directory with financial details. Limit access based on roles, and immediately revoke access when someone leaves a leadership position. That former treasurer from four years ago should not still have access to your membership database.
Step 6: Prepare for data subject requests. Designate one person (and a backup) who handles privacy-related requests. Create a simple process: receive request, verify identity, gather data, respond within one month, document everything. Having this in place before someone asks means you won't be scrambling.
When Things Go Wrong: Data Breach Response
A data breach under the GDPR isn't just a hacker breaking into your systems. It's any unauthorized access, loss, or disclosure of personal data. That includes a volunteer losing a laptop with member information on it, accidentally sending an email to the wrong person with someone's private details, or leaving a printed member directory at a coffee shop.
If a breach occurs, the GDPR requires you to notify your supervisory authority within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individuals' rights. If the breach poses a high risk to the affected individuals, you must also notify them directly.
In 2019, a German football association was fined 300,000 euros -- calculated at 4% of their annual revenue -- for failing to have proper data processing agreements with service providers and for inadequate documentation of their data handling processes. That's not a tech company. That's a sports club. The penalties are real, even for community organizations.
Your breach response plan should be simple: (1) contain the breach immediately -- change passwords, revoke access, secure the data; (2) assess what data was affected and how many people are impacted; (3) notify the supervisory authority within 72 hours if required; (4) notify affected individuals if there's a high risk to their rights; (5) document everything and review what went wrong.
The US Privacy Landscape
If your organization operates exclusively in the United States, you might think GDPR doesn't apply to you. And you might be right -- if you truly have no members, donors, or website visitors from the EU. But the broader trend is unmistakable: US privacy law is rapidly catching up.
The California Consumer Privacy Act (CCPA) and its successor the CPRA give California residents many of the same rights as the GDPR -- access, deletion, opt-out of data sales. While the CCPA currently exempts most nonprofits, that exemption is narrower than you might think, and several states have already dropped it.
Colorado, Delaware, Maryland, Minnesota, New Jersey, and Oregon have passed privacy laws that do not exempt nonprofits from their requirements. As of 2026, twenty US states have comprehensive privacy legislation, and the trend is clearly toward broader coverage and fewer exemptions.
The practical implication: even if you're a small US community organization, building privacy-respecting practices now will prepare you for regulations that are almost certainly coming your way. And beyond legal compliance, it's simply the right thing to do for your members.
Building a Privacy-First Culture
Compliance is important, but culture is what makes privacy protection sustainable. You need your entire leadership team and volunteer base to understand that member data is a responsibility, not just a resource.
Talk about it openly. Add a brief data privacy item to your board meeting agendas. When you onboard new volunteers who will handle member information, include a five-minute privacy briefing. Normalize the conversation.
Make the right thing easy. If your organization uses a proper management platform with built-in privacy controls, volunteers don't need to think about compliance -- it happens automatically. If you're still managing members through personal email accounts and shared spreadsheets, even the most privacy-conscious volunteer will make mistakes.
Review annually. Privacy isn't a one-time project. Once a year, revisit your data audit, review your privacy notice, check that access controls are current, and delete data you no longer need. Put it on the calendar right alongside your annual budget review.
Respond to requests gracefully. When a member asks about their data or requests deletion, treat it as a sign of an engaged, informed community -- not as an inconvenience. A prompt, friendly response builds trust. A defensive or dismissive one erodes it.
That PTA president from the beginning of this article? She spent a stressful weekend tracking down member data across seven different systems, wrote a hasty response, and then spent the next month properly organizing their data practices. She told me later that the whole experience was actually a blessing in disguise. "We had no idea how much unnecessary data we were sitting on," she said. "Cleaning it up made us a better-run organization."
Data privacy isn't about bureaucracy or fear of fines. It's about respecting the people who trust you with their personal information. And for community organizations built on trust, that should be the easiest principle to embrace.
Communify has GDPR compliance built in -- consent management, data export, member access controls, and retention policies that work automatically. Protect your members' privacy without becoming a legal expert. Join the free beta and manage data responsibly.