Russ is right that even if you have no presence in the EU, if you store personal information about EU residents, technically speaking, your organization falls under the scope of the GDPR. So if you’ve got the name and email of someone’s grandma from Germany who donated once while she was visiting, you should ensure compliance. (Whether any EU supervisory authority will, or even can, come after an entity with no EU presence is debatable and up to your risk tolerance for now.)
However, consent is not the only basis for which you can continue to process grandma’s information. Article 6 spells out all of the different reasons you might be able to continue processing her info, including if the “processing is necessary for compliance with a legal obligation to which the controller is subject;” (would make sense for tax reporting financial gifts, etc) or if “processing is necessary for the purposes of the legitimate interests pursued by the controller” (if an EU resident comes to your church and gives you their information, there’s debatably “legitimate interest” that they’re part of your congregation. None of this has any case law behind it yet, so it’s up for interpretation and again, your risk tolerance.
GDPR also provides limits on what you can do with “special categories” of information, which includes religious affiliations. However, the processing is okay if it is “carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim”. (Article 9)
Al that to say, you probably don’t need grandma’s consent, but you should have a good reason to have her data.
Besides providing the legal bases for processing data, GDPR also creates obligations about where you transfer that data to. In a nutshell, your ChMS should also be GDPR compliant.
Personally, if I still worked for my church which has no EU presence, I wouldn’t sweat it, but that’s your call not mine. If I were in the EU, I’d feel a lot different.
I’m neck deep getting my organization (Planning Center) GDPR compliant. If you’ve got any other GDPR questions, lemme know.