Blackbaud Data Breach: Do You Need to Notify Affected Individuals or EU Data Protection Authorities? – Lexology
On July 16, 2020, Blackbaud, a U.S. based cloud computing provider and one of the worlds largest providers of education administration, fundraising, and financial management software, notified users of its services that it had suffered a ransomware attack in May 2020 in relation to personal data stored on their servers. Numerous colleges, universities, foundations, and other non-profits across the U.K., U.S. and Canada were affected.
Blackbauds handling of the attack has raised some questions. Blackbaud has confirmed in a statement on its website that they paid the cyber-criminals ransom demand in return for confirmation that the stolen data had been destroyed. Paying ransom demands is not unlawful, but it goes against the official advice issued by many law enforcement agencies, including the FBI. In addition, Blackbaud has faced criticism for taking many weeks to inform its customers of the breach.
Much of the affected data was of a nature that would not trigger notice requirements in the United States, because the elements that constitute sensitive data in the U.S. (such as usernames, passwords and social security numbers) were encrypted. However, there are a handful of states (notably Washington and North Dakota) that have notification statutes requiring notice to affected individuals if other kinds of information is accessed, such as names together with dates of birth, and was the case for many of Blackbauds customers.
The bigger issue, however, is for those U.S.-based entities who actively target individuals in the European Union. For example, many colleges and universities in the United States actively recruit prospective students or donors in the European Union. These types of recruitment activities are likely to bring them in scope of the EUs General Data Protection Regulation (GDPR).
The GDPR is a far-reaching piece of European legislation which applies to organizations outside the EU and includes draconian financial sanctions for non-compliance. Moreover, the standard for notification to individuals and data protection authorities in the EU is much lower than in most U.S. states. The GDPR requires that data breaches are reported to European data protection supervisory authorities unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. This requires the affected institution to perform a thorough, documented risk assessment in each case.
Larger institutions may have already analyzed the need to comply with the GDPR and will therefore be aware that, if they are in scope of the GDPR, they may be required to report the breach both to the individuals concerned and to the relevant data protection supervisory authority in the EU. However, many smaller institutions may not have performed that analysis. This situation may find them needing to report the breach, but in doing so perhaps also alerting the data protection authorities to the fact that they may be subject to GDPR and may not be compliant in other ways. For instance, the GDPR requires specific contractual terms (including terms relating to the handling of data breaches) to be in place between customers and vendors where vendors process personal data on behalf of the customer.
The attack on Blackbaud is a major data breach. It may serve as a catalyst for U.S. non-profits to take a longer look at the GDPR and analyze their own need to comply.
Affected organizations both in and outside the EU should be working to determine what data has been compromised and whether they need to notify the local supervisory authority. The breach should also prompt all organizations to review any vendor contracts where personal data is involved, with a particular focus on ensuring that (a) the responsibility for data breach falls on the vendor and (b) strict notification timescales are imposed on the vendor (with the aim of preventing the lengthy delay in informing customers that has occurred in the Blackbaud case). Organizations that are subject to GDPR should also ensure that they implement GDPR-compliant vendor contracts.
See more here:
Blackbaud Data Breach: Do You Need to Notify Affected Individuals or EU Data Protection Authorities? - Lexology
- The European Union is fully introducing the EES System - Sarajevo Times - April 10th, 2026 [April 10th, 2026]
- European Union Micro Ultrasound Systems Market 2026 Analysis and Forecast to 2035 - IndexBox - April 10th, 2026 [April 10th, 2026]
- The US ambassador to the European Union, Andrew Puzder, said the bloc's push for tech sovereignty should not focus on making others 'less competitive'... - April 10th, 2026 [April 10th, 2026]
- Interview of the Ambassador of the European Union to Albania, Silvio Gonzato, for Euronews - EEAS - April 10th, 2026 [April 10th, 2026]
- Donald Trump Jr. criticizes the European Union during a trip to Bosnia - KSAT - April 10th, 2026 [April 10th, 2026]
- European Union Non-Contact Forehead Thermometers Market 2026 Analysis and Forecast to 2035 - IndexBox - April 10th, 2026 [April 10th, 2026]
- European Union Chest Drainage Catheters And Units Market 2026 Analysis and Forecast to 2035 - IndexBox - April 10th, 2026 [April 10th, 2026]
- European Union Fixed Curve Diagnostic Catheters Market 2026 Analysis and Forecast to 2035 - IndexBox - April 10th, 2026 [April 10th, 2026]
- European Union Intracranial Stenosis Stents Market 2026 Analysis and Forecast to 2035 - IndexBox - April 10th, 2026 [April 10th, 2026]
- The weak point: Why pharmaceutical security belongs at the heart of European defence - European Union Institute for Security Studies | - April 10th, 2026 [April 10th, 2026]
- BD Delivers NextGeneration TIPS Innovation to Advance Portal Hypertension Care Across the European Union - PR Newswire - April 8th, 2026 [April 8th, 2026]
- European Union Struts Implants Market 2026 Analysis and Forecast to 2035 - IndexBox - April 8th, 2026 [April 8th, 2026]
- European Union Intravascular Stents Market 2026 Analysis and Forecast to 2035 - IndexBox - April 8th, 2026 [April 8th, 2026]
- European Union Cardiac Catheters Guidewires Market 2026 Analysis and Forecast to 2035 - IndexBox - April 8th, 2026 [April 8th, 2026]
- Donald Trump Jr. criticizes the European Union during a trip to Bosnia - Yahoo - April 8th, 2026 [April 8th, 2026]
- Donald Trump Jr. criticizes the European Union during a trip to Bosnia - AP News - April 8th, 2026 [April 8th, 2026]
- UK Joins United States, Canada, Australia, European Union and India for ETA Fee Increase and Rising Travel Costs Alert : Everything You Need To Know... - April 8th, 2026 [April 8th, 2026]
- Hungarys Orbn has long annoyed the European Union. Now some hope he faces defeat - AP News - April 7th, 2026 [April 7th, 2026]
- Hungarys Orbn has long annoyed the European Union. Now some hope he faces defeat - Los Angeles Times - April 7th, 2026 [April 7th, 2026]
- Canada in the European Union? Poll suggests broad openness to the idea - Yahoo! Finance Canada - April 7th, 2026 [April 7th, 2026]
- Armenia And Former Soviet Republics To Choose Between European Union And EAEU/Eurasia Union Analysis - Eurasia Review - April 7th, 2026 [April 7th, 2026]
- Fmc Secures Approval For Isoflex Active In The European Union, Addressing A Critical Gap In The European Herbicide Market - TradingView - April 7th, 2026 [April 7th, 2026]
- The European Union has begun to prepare for the crisis and austerity - - - April 7th, 2026 [April 7th, 2026]
- Israel: Statement by the High Representative on behalf of the European Union on the approval of the Death Penalty Bill by the Israeli Parliament -... - April 7th, 2026 [April 7th, 2026]
- Canada in the European Union? Poll suggests broad openness to the idea - CTV News - April 7th, 2026 [April 7th, 2026]
- Will Canada find its future with the European Union? - Winnipeg Sun - April 7th, 2026 [April 7th, 2026]
- European Union Cell-Culture Matrix Products Market 2026 Analysis and Forecast to 2035 - IndexBox - April 7th, 2026 [April 7th, 2026]
- Canada in the European Union? Poll suggests broad openness to the idea - Toronto Star - April 7th, 2026 [April 7th, 2026]
- Turkey Joins European Union and United States to Boost Economic Resilience with a Credit Guarantee, Aimed at Supporting Tourism and Exports Amid... - April 7th, 2026 [April 7th, 2026]
- Canada in the European Union? Poll suggests broad openness to the idea - Winnipeg Sun - April 7th, 2026 [April 7th, 2026]
- Canada in the European Union? Poll suggests broad openness to the idea - The Spec - April 7th, 2026 [April 7th, 2026]
- The European Union and Australia sign a Security and Defence Partnership - EEAS - March 24th, 2026 [March 24th, 2026]
- The European Union is facing its biggest espionage scandal since the Cold War - Atalayar - March 24th, 2026 [March 24th, 2026]
- EU Inc. making business easier in the European Union - European Commission - March 24th, 2026 [March 24th, 2026]
- European Union Pavilion Showcasing Excellence of EU Food and Beverages at FHA 2026 - Caledonian Record - March 24th, 2026 [March 24th, 2026]
- European Union and Australia agree on text of free trade pact and announce a new defense partnership - Ottumwa Courier - March 24th, 2026 [March 24th, 2026]
- European Union and Australia agree on text of free trade pact and announce a new defense partnership - Caledonian Record - March 24th, 2026 [March 24th, 2026]
- European Union and Australia agree on text of free trade pact and announce a new defense partnership - Richmond Register - March 24th, 2026 [March 24th, 2026]
- Australia, European Union agree sweeping new trade pact 8 years in the works - Dawn - March 24th, 2026 [March 24th, 2026]
- European companies tell European Union what American tech companies have been trying to: We are not truly - The Times of India - March 17th, 2026 [March 17th, 2026]
- The Delegation of the European Union to Trkiye and the Embassy of Sweden Focus on Care Policies and Womens Economic Participation - EEAS - March 17th, 2026 [March 17th, 2026]
- European Union wants Strait of Hormuz open, but some members vow not to join Iran war - whas11.com - March 17th, 2026 [March 17th, 2026]
- The European Union is interested in intelligent border management of the South Caucasus together with Azerbaijan - Aze.Media - March 17th, 2026 [March 17th, 2026]
- The European Union is interested in intelligent border management of the South Caucasus together with Azerbaijan - EU Reporter - March 17th, 2026 [March 17th, 2026]
- France's ecological transition minister Monique Barbut said the European Union should take a firmer stance against climate inaction and favour a 'more... - March 17th, 2026 [March 17th, 2026]
- The European Union will always be a reliable partner, a defender of the rules-based international order, and upholder of the United Nations Charter.... - March 13th, 2026 [March 13th, 2026]
- How close is Ukraine from joining the European Union? - EU NEIGHBOURS east - March 13th, 2026 [March 13th, 2026]
- European Union to begin negotiations on simplifying fisheries statistics - SeafoodSource - March 13th, 2026 [March 13th, 2026]
- The Union, the Star and the Eagle: EU-NATO cooperation under Trump 2.0 - European Union Institute for Security Studies | - March 13th, 2026 [March 13th, 2026]
- The Singular Threat of Lone Actors in the European Union - Small Wars Journal - March 13th, 2026 [March 13th, 2026]
- 'European Union needs a bit of a revolution: There is no European strategy or foreign policy' - France 24 - March 13th, 2026 [March 13th, 2026]
- Opinion: Pashinyan is right Armenias path to the European Union will become harder if Georgia remains in its current state - JAMnews - March 13th, 2026 [March 13th, 2026]
- DroneShield to make C-UAS systems in the European Union - Unmanned airspace - March 13th, 2026 [March 13th, 2026]
- Russia very likely to pre-emptively terminate gas sales to European Union ahead of Brussels ban, exploiting energy crisis caused by Iran conflict -... - March 13th, 2026 [March 13th, 2026]
- Council of Europe and European Union join forces to strengthen womens health and equality in sport - coe.int - March 7th, 2026 [March 7th, 2026]
- Beyond summits: The Africa-EU partnership as a priority - European Union Institute for Security Studies | - March 7th, 2026 [March 7th, 2026]
- How the European Union Supports the Fight Against Corruption in Ukraine - EEAS - March 7th, 2026 [March 7th, 2026]
- Iceland to Vote in August on Talks With European Union - Bloomberg.com - March 7th, 2026 [March 7th, 2026]
- Anticipatory effects of corporate tax shaming: evidence from the European Union - IFS | Institute for Fiscal Studies - March 7th, 2026 [March 7th, 2026]
- European Union's Spades and Shovels Market Forecast Shows Steady Growth With a 19% Volume CAGR - IndexBox - February 20th, 2026 [February 20th, 2026]
- European Union's Argon Market Forecast to Expand With a +1.6% CAGR Through 2035 - IndexBox - February 20th, 2026 [February 20th, 2026]
- European Union's Anchovy Market Forecasts Steady Growth With 04% Volume CAGR Through 2035 - IndexBox - February 20th, 2026 [February 20th, 2026]
- European Union's Vegetable Tanning Extracts Market Set for Modest Growth to 63K Tons and $282M - IndexBox - February 20th, 2026 [February 20th, 2026]
- European Union's Expanded Metal Market to Reach 185K Tons and $581M by 2035 - IndexBox - February 20th, 2026 [February 20th, 2026]
- Stop Killing Games is launching NGOs in the European Union and the US: 'We're not just going away on this' - PC Gamer - February 20th, 2026 [February 20th, 2026]
- The European Union and Nigeria launch first Peace, Security and Defence Dialogue and agree to enhance collaboration - EEAS - February 20th, 2026 [February 20th, 2026]
- European Union's Thiocarbamates and Methionine Market Set to Reach 378K Tons and $1.4 Billion - IndexBox - February 20th, 2026 [February 20th, 2026]
- European Union's Acyclic Amides Market to Expand With 2.7% CAGR Through 2035 - IndexBox - February 20th, 2026 [February 20th, 2026]
- European Union's Non-Kaolinitic Clays Market Set to Reach 58 Million Tons and $11.1 Billion by 2035 - IndexBox - February 20th, 2026 [February 20th, 2026]
- Serbia on a Sharpening Geopolitical Edge Between Russia and the European Union - Clingendael - February 16th, 2026 [February 16th, 2026]
- European Union to send observer to Trumps Board of Peace meeting - Washington Times - February 16th, 2026 [February 16th, 2026]
- European Union's Metal Flexible Tubing Market Forecast to Expand at 1.5% CAGR Through 2035 - IndexBox - February 16th, 2026 [February 16th, 2026]
- European Union's Rigid Polymer Tubes and Pipes Market Forecast Shows Sluggish Volume Growth at 0.1% CAGR Amid Stronger Value Increase - IndexBox - February 16th, 2026 [February 16th, 2026]
- Council of European Union to formally adopt 90bn Ukraine loan package on 24 February - - February 16th, 2026 [February 16th, 2026]
- European Union's Centrifuge Market Set to Reach 262K Units and $3.9B in Value by 2035 - IndexBox - February 16th, 2026 [February 16th, 2026]
- European Union's Non-Malleable Cast Iron Market Poised for Steady Growth With 1.7% CAGR in Value - IndexBox - February 16th, 2026 [February 16th, 2026]
- Hungarian PM Viktor Orban has long been at loggerheads with the European Union on a number of issues - IslanderNews.com - February 16th, 2026 [February 16th, 2026]
- 19th meeting of the Stabilisation and Association Committee between the European Union and the Republic of North Macedonia - Enlargement and Eastern... - February 16th, 2026 [February 16th, 2026]
- ARMENIA - EUROPEAN UNION The Armenian alphabet in Strasbourg, an act of diplomacy and identity - AsiaNews - February 16th, 2026 [February 16th, 2026]
- European Union's not Roasted Malt Market Set for Steady Growth to 8.1 Million Tons and $5.5 Billion - IndexBox - February 1st, 2026 [February 1st, 2026]