A revolution in the handling of online personal data will arrive on May 25, 2018. And almost everyone: big firms, small firms, nonprofits, and individuals, will be caught up in it.

KnowHow Nonprofit has posted an excellent guidance document for nonprofits trying to navigate the new rules.

More than five years ago, the European Commission set out to reform the way online personal data was collected and stored. The result is the General Data Protection Regulation (GDPR) approved in April 2016. The GPDR gives ordinary people vastly more control over how their personal data is handled and analyzed by organizations.

If your organization has donors, mailing list subscribers or simply website visitors from the European Union, you may have to alter your behavior when it comes to their personal data.

A Fortune report explains:

GDPR will codify data protection rules for all companies that collect data from EU citizens while greatly expanding individuals’ control over how and when their personal data is collected and used. And while the regulation is EU-based, it has global reach and implications. If even a single EU citizen visits the website of a company based anywhere in the world and data is collected on that individual, that company must comply with GDPR or risk severe penalization.

But it would be a mistake to think that the impact of GDPR is limited to the tech titans. In the U.S. especially, where many companies are built on their ability to capture, sell, or leverage data to target individuals, the new regulations—which grant individuals the right to have their information deleted from databases under various circumstances—will force businesses of all sizes and kinds to dramatically rethink their data practices.

Companies that don’t comply face potential penalties of up to 4% of their annual global revenue or €20 million, whichever is higher. And with member nations ramping up their enforcement capabilities as we speak (the United Kingdom alone is hiring 200 enforcement staff), it is becoming clear that all companies, not just the industry giants, could be targeted.

Chief among the biggest changes that the GDPR introduces is the enhancement of individual control over personal data. Consumers now have to be told without undue delay if their personal information has been hacked.

Your mailing list subscribers should also be given the option of an easy way to unsubscribe — although if your organization follows email marketing best practices, you likely comply with this already.

They also have the right to demand a copy of their data stored a company’s servers and the ability to move that data from one company to another if they want to transfer to a different service provider. Consent forms should now also be worded in simple terms. There must also be an easy way to reverse that consent if needed.

Martechtoday.com clarifies:

In order to be GDPR-compliant, a company must not only handle consumer data carefully but also provide consumers with myriad ways to control, monitor, check and, if desired, delete any information pertaining to them that they want.

Companies that wish to stay in compliance must implement processes (and in many cases, add personnel) to ensure that when data is handled, it remains protected. To comply with this requirement, GDPR promotes pseudonymization, anonymization and encryption.

Anonymization is the encryption or removal of identifiable information so that it can never be tied back to a user. Pseudonymization is somewhere between identified and anonymous. With pseudonymization, the data components are anonymized and separated but can be put back together. For example, a system might assign a user one identifier for location and another for browser that can only be tied back to the user if it is put together with their date of birth, which is kept separately. The regulation promotes pseudonymization over anonymization.

Nonprofit organizations are not exempted from the GDPR. “Failure to comply with the new law can lead to adverse publicity, potentially leading to reputational damage and lost trust of donors, grantors, members, and others,” according to The NonProfit Times.