Hello, I am a board member of a small nonprofit organization. We currently store our membership data in a Google sheet on Google Drive, which is accessible only to board members. However, concerns have arisen regarding the safety and legality of this arrangement under the GDPR laws, as we are based in Sweden. I would greatly appreciate hearing your opinions on this matter.
Additionally, I would like to explore alternative options that are cost-effective, considering our limited financial resources.
I’m not a privacy expert nor am I much of a user of Google’s services, so consider those things when reading further :).
If you’re concerned with regulatory compliance, my best advice is to strongly encourage you to consult with someone who is well versed in the use of services like Google Cloud for (preferably Swedish, definitely European) nonprofits organizations. Given your nonprofit status and (presumably) limited needs you may be able to get someone to consult on this for very little or no fee.
If I were you, I’d reach out to board members of similar organizations to find out if they can point you in the right direction. If you have a government privacy office, they may have guidance for you as well.
Thank you so much for your recommendations and resources. Yes, I believe we need to consult an expert on this matter. The GDPR law is quite challenging. However, I will review the pages you suggested and assess our options. Thank you and best regards, Per. and see where we end up. Thank you and best regards, Per.
The above is a link to the Data Protection authority in Sweden. I can’t speak or read Swedish, but I’d recommend looking on the website if they have any guidance for charities. Certain organisations can be exempt from GDPR due to their operating model. Your authority (unlike the one in the UK) may be willing to advise you directly via phone or email.
Also be careful who you get advice from. Anyone who declares themselves a GDPR expert should be treated cautiously. If you know a friendly Lawyer, they may be able to point you in the right direction.
Beyond any of this, of course, Security best practice is always good. Maybe have a look at the Cyber Essentials NCSC for advice on how to improve your cyber security within the organisation.