Hello, I am a board member of a small nonprofit organization. We currently store our membership data in a Google sheet on Google Drive, which is accessible only to board members. However, concerns have arisen regarding the safety and legality of this arrangement under the GDPR laws, as we are based in Sweden. I would greatly appreciate hearing your opinions on this matter.
Additionally, I would like to explore alternative options that are cost-effective, considering our limited financial resources.
Thank you for your assistance.
I’m not a privacy expert nor am I much of a user of Google’s services, so consider those things when reading further :).
If you’re concerned with regulatory compliance, my best advice is to strongly encourage you to consult with someone who is well versed in the use of services like Google Cloud for (preferably Swedish, definitely European) nonprofits organizations. Given your nonprofit status and (presumably) limited needs you may be able to get someone to consult on this for very little or no fee.
If I were you, I’d reach out to board members of similar organizations to find out if they can point you in the right direction. If you have a government privacy office, they may have guidance for you as well.
I would whole-heartedly agree with @ACautionaryTale.
GDPR compliance is essential. but given your status I am sure you will be able to get specialist advice.
In the meantime you might find this useful. GDPR & Google Workspace: How to stay compliant with GDPR - Measured Collective
Perhaps this might answer some of your questions.
Cloud Compliance - Regulations & Certifications - Sweden | Google Cloud
Cloud Compliance & Regulations Resources | Google Cloud
Thank you so much for your recommendations and resources. Yes, I believe we need to consult an expert on this matter. The GDPR law is quite challenging. However, I will review the pages you suggested and assess our options. Thank you and best regards, Per. and see where we end up. Thank you and best regards, Per.
The above is a link to the Data Protection authority in Sweden. I can’t speak or read Swedish, but I’d recommend looking on the website if they have any guidance for charities. Certain organisations can be exempt from GDPR due to their operating model. Your authority (unlike the one in the UK) may be willing to advise you directly via phone or email.
In the UK (also under GDPR), certain non profits are exempt from having to register with a supervisory authority https://ico.org.uk/media/for-organisations/documents/1567/exemption-from-registration-for-not-for-profit-organisations.pdf This guidance obviously doesn’t apply to you in Sweden, but may be comparable.
Also be careful who you get advice from. Anyone who declares themselves a GDPR expert should be treated cautiously. If you know a friendly Lawyer, they may be able to point you in the right direction.
Beyond any of this, of course, Security best practice is always good. Maybe have a look at the Cyber Essentials NCSC for advice on how to improve your cyber security within the organisation.