Blackbaud Data Breach: Do You Need to Notify Affected Individuals or EU Data Protection Authorities? – Lexology
On July 16, 2020, Blackbaud, a U.S. based cloud computing provider and one of the worlds largest providers of education administration, fundraising, and financial management software, notified users of its services that it had suffered a ransomware attack in May 2020 in relation to personal data stored on their servers. Numerous colleges, universities, foundations, and other non-profits across the U.K., U.S. and Canada were affected.
Blackbauds handling of the attack has raised some questions. Blackbaud has confirmed in a statement on its website that they paid the cyber-criminals ransom demand in return for confirmation that the stolen data had been destroyed. Paying ransom demands is not unlawful, but it goes against the official advice issued by many law enforcement agencies, including the FBI. In addition, Blackbaud has faced criticism for taking many weeks to inform its customers of the breach.
Much of the affected data was of a nature that would not trigger notice requirements in the United States, because the elements that constitute sensitive data in the U.S. (such as usernames, passwords and social security numbers) were encrypted. However, there are a handful of states (notably Washington and North Dakota) that have notification statutes requiring notice to affected individuals if other kinds of information is accessed, such as names together with dates of birth, and was the case for many of Blackbauds customers.
The bigger issue, however, is for those U.S.-based entities who actively target individuals in the European Union. For example, many colleges and universities in the United States actively recruit prospective students or donors in the European Union. These types of recruitment activities are likely to bring them in scope of the EUs General Data Protection Regulation (GDPR).
The GDPR is a far-reaching piece of European legislation which applies to organizations outside the EU and includes draconian financial sanctions for non-compliance. Moreover, the standard for notification to individuals and data protection authorities in the EU is much lower than in most U.S. states. The GDPR requires that data breaches are reported to European data protection supervisory authorities unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. This requires the affected institution to perform a thorough, documented risk assessment in each case.
Larger institutions may have already analyzed the need to comply with the GDPR and will therefore be aware that, if they are in scope of the GDPR, they may be required to report the breach both to the individuals concerned and to the relevant data protection supervisory authority in the EU. However, many smaller institutions may not have performed that analysis. This situation may find them needing to report the breach, but in doing so perhaps also alerting the data protection authorities to the fact that they may be subject to GDPR and may not be compliant in other ways. For instance, the GDPR requires specific contractual terms (including terms relating to the handling of data breaches) to be in place between customers and vendors where vendors process personal data on behalf of the customer.
The attack on Blackbaud is a major data breach. It may serve as a catalyst for U.S. non-profits to take a longer look at the GDPR and analyze their own need to comply.
Affected organizations both in and outside the EU should be working to determine what data has been compromised and whether they need to notify the local supervisory authority. The breach should also prompt all organizations to review any vendor contracts where personal data is involved, with a particular focus on ensuring that (a) the responsibility for data breach falls on the vendor and (b) strict notification timescales are imposed on the vendor (with the aim of preventing the lengthy delay in informing customers that has occurred in the Blackbaud case). Organizations that are subject to GDPR should also ensure that they implement GDPR-compliant vendor contracts.
See more here:
Blackbaud Data Breach: Do You Need to Notify Affected Individuals or EU Data Protection Authorities? - Lexology
- European Union imports of cheap ecommerce parcels jump 26% in 2025 - Reuters - January 26th, 2026 [January 26th, 2026]
- European Union The Latest To Investigate Grok - Deadline - January 26th, 2026 [January 26th, 2026]
- Better regulation in the European Union needs a fresh start - Bruegel - January 26th, 2026 [January 26th, 2026]
- Living with friction: Three anchors of the EU-India partnership - European Union Institute for Security Studies | - January 26th, 2026 [January 26th, 2026]
- The European Union is launching an investigation into Elon Musks social media platform X and its AI chatbot feature Grok. - facebook.com - January 26th, 2026 [January 26th, 2026]
- European Union Gives Final Approval to Ban Imports of Russian Gas - jordannews.jo - January 26th, 2026 [January 26th, 2026]
- Goodbye to ketchup and mayonnaise packets in the European Union - Brussels imposes a historic change in bars and restaurants from August -... - January 26th, 2026 [January 26th, 2026]
- Canada and the European Union: Two New Wins for Chinese Exports in the West - CSIS | Center for Strategic and International Studies - January 24th, 2026 [January 24th, 2026]
- Special Tribunal for the Crime of Aggression against Ukraine: Council of Europe, European Union agree to set up advance team - Council of Europe - January 24th, 2026 [January 24th, 2026]
- European Union Allocates Nearly 20 Million to the WFP for Child Nutrition in Afghanistan - 8am.media - January 24th, 2026 [January 24th, 2026]
- DAWNZERA (donidalorsen) approved in the European Union for hereditary angioedema (HAE) - Business Wire - January 22nd, 2026 [January 22nd, 2026]
- The United States And The European Union: Allies Or Enemies? (SP500) - Seeking Alpha - January 22nd, 2026 [January 22nd, 2026]
- European Union puts US trade deal on hold over sovereignty concerns - Trkiye Today - January 22nd, 2026 [January 22nd, 2026]
- Should the European Union begin peace talks with Moscow? - monocle.com - January 14th, 2026 [January 14th, 2026]
- Mercosur and the European Union move forward toward a free trade agreement - BNamericas - January 14th, 2026 [January 14th, 2026]
- Agreement with the European Union could increase investments in Mercosur - BNamericas - January 14th, 2026 [January 14th, 2026]
- European Union's Toilet and Tissue Paper Market Set for Steady Growth With 0.7% Volume CAGR Through 2035 - IndexBox - January 14th, 2026 [January 14th, 2026]
- European Union's Sugary Soft Drink Market Set to Reach 40 Billion Litres and $46.7 Billion in Value - IndexBox - January 14th, 2026 [January 14th, 2026]
- The European Union agreed to a sweeping trade pact with four South American countries that would create one of the largest free-trade zones in the... - January 9th, 2026 [January 9th, 2026]
- MUFG to establish a universal bank in the European Union - Securities Finance Times - January 9th, 2026 [January 9th, 2026]
- Speech by President Antnio Costa at the opening ceremony of the Cyprus Presidency of the Council of the European Union - consilium.europa.eu - January 9th, 2026 [January 9th, 2026]
- European Union: EU institutions give businesses the gift of legal certainty on sustainability rules - Global Compliance News - January 9th, 2026 [January 9th, 2026]
- European Union may soon have good news for Google, Meta, Netflix, Microsoft, Amazon and other tech firms - The Times of India - January 9th, 2026 [January 9th, 2026]
- Spain marks 40 years in the European Union - Sur in English - January 9th, 2026 [January 9th, 2026]
- The European Commission gathers material on AI content on TikTok concerning Polands membership in the European Union - European Newsroom - January 6th, 2026 [January 6th, 2026]
- How Spain and Portugal have changed in 40 years in the European Union - Euronews.com - January 4th, 2026 [January 4th, 2026]
- Neither Venezuela, nor Colombia, nor Cuba: The US points to its next target, which belongs to a European Union country - MARCA - January 4th, 2026 [January 4th, 2026]
- European Union's X-Ray Tube Market Poised for Steady Growth With 1.6% CAGR in Value - IndexBox - January 4th, 2026 [January 4th, 2026]
- Be like Poland energetic, brave, and safe: Tusk advises the European Union - - January 4th, 2026 [January 4th, 2026]
- European Union's Ferro-Manganese Market to Reach $74.5 Billion by 2035 on a 3% CAGR Value Growth - IndexBox - January 4th, 2026 [January 4th, 2026]
- Exams in the European Union: A Comprehensive Guide - The Good Men Project - January 4th, 2026 [January 4th, 2026]
- Sanctioning Fever: The United States, European Union and Free Speech - CounterPunch.org - December 31st, 2025 [December 31st, 2025]
- Global Regulatory Progress of NMN in the United States, Australia and European Union - CIRS Group - December 31st, 2025 [December 31st, 2025]
- Western Balkans And European Union: Group Enlargement As Strategic Response To Crisis Of Credibility And Geopolitical Uncertainty Analysis - Eurasia... - December 31st, 2025 [December 31st, 2025]
- A Lifeline in Crisis: European Union and UNFPA Deliver Essential Health and Protection to Yemens Women and Girls - ReliefWeb - December 31st, 2025 [December 31st, 2025]
- Montenegro: European Union to invest 175 million to upgrade Bar-Golubovci railway line - The European Sting - December 31st, 2025 [December 31st, 2025]
- European Union's Industrial Sewing Machine Market Poised for Steady Growth With 3.2% CAGR in Value - IndexBox - December 31st, 2025 [December 31st, 2025]
- Navigating EU (European Union) and FDA (Food and Drug Administration) Regulations for Drug/Device and Device/Drug Combination Products Training Course... - December 27th, 2025 [December 27th, 2025]
- European Union and Russia: on the Verge of War - CounterPunch.org - December 25th, 2025 [December 25th, 2025]
- European Union in Bosnia and Herzegovina establishes first Youth Advisory Board - European Newsroom - December 25th, 2025 [December 25th, 2025]
- European Union looks to boost plastic recycling as Chinese imports rise - Premium Beauty News - December 25th, 2025 [December 25th, 2025]
- European Union 'strongly condemns' U.S. sanctions against five Europeans - The Hindu - December 25th, 2025 [December 25th, 2025]
- European Union drops controversial gas car ban originally set to take effect in 2035 after years of debate - supercarblondie.com - December 21st, 2025 [December 21st, 2025]
- European Union: yes to funding abortion, no to funding large families - ZENIT - English - December 21st, 2025 [December 21st, 2025]
- The Western Balkan energy sector: between Russia, the European Union and the green transition - Bruegel - December 21st, 2025 [December 21st, 2025]
- European Union approves massive loan for Ukraine as Putin boasts about Russia's war - CBS News - December 21st, 2025 [December 21st, 2025]
- European Union's Injection-Moulding Machine Market Poised for Steady Growth With 2.2% CAGR in Value - IndexBox - December 21st, 2025 [December 21st, 2025]
- What we gain and lose by staying inside the European Union - MSN - December 18th, 2025 [December 18th, 2025]
- As I See It | Russia will end the European Union, not the other way around - South China Morning Post - December 18th, 2025 [December 18th, 2025]
- The European Union should embrace decentralised finance and make it safe - Bruegel - December 18th, 2025 [December 18th, 2025]
- Russia hit with fresh sanctions! European Union adds firms tied to Moscows shadow fleet to list; bans oi - Times of India - December 16th, 2025 [December 16th, 2025]
- The European Union and the war in Ukraine: more money, but not more Europe - Bruegel - December 12th, 2025 [December 12th, 2025]
- European Union expected to indefinitely freeze Russian assets in Europe - CBS News - December 12th, 2025 [December 12th, 2025]
- Finnish Officer appointed new Deputy Commander of the European Union Military Assistance Mission in Mozambique - EEAS - December 12th, 2025 [December 12th, 2025]
- Independent living of persons with disabilities in the European Union - European Parliament - December 12th, 2025 [December 12th, 2025]
- The European Union moves ahead with toughening its migration system - ABC News - December 10th, 2025 [December 10th, 2025]
- Elon Musk calls for abolition of European Union after it hit X with $140M bullst fine - New York Post - December 10th, 2025 [December 10th, 2025]
- Why is Elon Musk in a war of words with the European Union? - Australian Broadcasting Corporation - December 10th, 2025 [December 10th, 2025]
- The European Union moves ahead with toughening its migration system - AP News - December 10th, 2025 [December 10th, 2025]
- The European Union Reportedly Plans to Push Its Ban on New ICE Cars Back to 2040 - Road & Track - December 10th, 2025 [December 10th, 2025]
- Romania aims to become the customs hub of the European Union - European Newsroom - December 10th, 2025 [December 10th, 2025]
- Hungary Becomes Net Contributor to the European Union - Hungarian Conservative - December 2nd, 2025 [December 2nd, 2025]
- European Union and Singapore reinforce digital cooperation - European Interest - December 2nd, 2025 [December 2nd, 2025]
- Morawiecki on the judgment of the Court of Justice of the European Union: a brazen interference in the order of family law - European Newsroom - December 2nd, 2025 [December 2nd, 2025]
- European Union and UNESCO launch a new initiative to strengthen literacy and economic resilience in Afghanistan - Unric - December 2nd, 2025 [December 2nd, 2025]
- Court of Justice of the European Union Strengthens the Rights of Parents With Disabled Children - JD Supra - December 2nd, 2025 [December 2nd, 2025]
- European Union moves to cut off Tanzania over rights record - ZAWYA - December 2nd, 2025 [December 2nd, 2025]
- The Baltic Edge: A Strategic Imperative for NATO and the European Union - Taylor Wessing - December 2nd, 2025 [December 2nd, 2025]
- European Union threatens Tanzania with sanctions, funding freeze over post-election abuses - Business Insider Africa - November 30th, 2025 [November 30th, 2025]
- Europes chance to change the war: How to make the most of the reparation loan - European Union Institute for Security Studies | - November 30th, 2025 [November 30th, 2025]
- Shein faces European Union scrutiny over child safety and illegal products - AP News - November 30th, 2025 [November 30th, 2025]
- European Union's Nickel Market Set for Growth to 445K Tons in Volume and $8.6B in Value by 2035 - IndexBox - November 30th, 2025 [November 30th, 2025]
- European Union-funded Food Security Response in Northern Ghana - Food and Agriculture Organization - November 30th, 2025 [November 30th, 2025]
- European Union's Sweet Biscuit Market Set for Steady Growth With a 3% CAGR in Value - IndexBox - November 30th, 2025 [November 30th, 2025]
- Paris Louvre Museum To Increase Ticket Price For Visitors From Outside The European Union - Southern Minnesota News - November 30th, 2025 [November 30th, 2025]
- European Commission Approves BRINSUPRI (brensocatib) as the First and Only Treatment To Date Approved for Non-Cystic Fibrosis Bronchiectasis in the... - November 18th, 2025 [November 18th, 2025]
- President of Slovakia before ambassadors: Slovakia co-creates the rules of the game in the European Union - European Newsroom - November 18th, 2025 [November 18th, 2025]
- Secretary-General of ASEAN meets with the European Union Heads of Missions based in Jakarta - ASEAN Main Portal - November 18th, 2025 [November 18th, 2025]
- European Union Military Assistance Mission participates in the closing Ceremony of ISEDEF 2025 Courses - EEAS - November 18th, 2025 [November 18th, 2025]
- European Union and Vietnam: A joint path to poultry farming based on immunity and prevention - Laotian Times - November 18th, 2025 [November 18th, 2025]