The General Data Protection Regulation is coming on May 25th and you should be worried. If you operate in the EU or focus on EU-based clients, then the sweeping new data protection law will apply to you, with multi-million dollar fines per violation.
It mandates that organizations will need to be clear and concise about the collection and use of personal data like full name, home address, location data, and IP address of our EU constituents.
Moreover, constituents will gain the right to access data organizations store about them, the right to correct inaccurate information, and the right to limit the use of decisions made by algorithms, among others.
GDPR Doesn’t Apply to Everyone
Now, there is an out. As we learned at the GDPR Technology Salon, the new law is actually pretty narrow in focus.
Sign up now to get invited to the next Technology Salon!
It only applies to you if you aim for EU clients or have an EU presence. For example, it applies only to the fundraising appeal targeted at people living in EU-member countries, or to the data the European branch of your organization collects.
If you are a US-based organization, focused on serving clients in Sub-Saharan Africa, South Asia, or Latin America, and do not have an EU presence, you do not need to follow GDPR, even if there are EU citizens or dual nationals in your global constituencies.
However, should you really celebrate escaping the best data privacy law of the past 20 years?
GDPR is Responsible Data Best Practice
GDPR really isn’t a new law, and it doesn’t really ask for an new actions. Anyone who has really thought about online privacy and and data security will see many best practices enshrined in the law, and celebrate the EU coming to our digital rescue (again!).
You are already implementing these responsible data practices already, right?
- Privacy by Design
- Privacy Impact Assessment
- Data Flow & Mapping
- Data Access Control
- Responsible Data Policy
We Are Not Responsible Data Actors – Yet
Actually, you are probably not implementing any of those processes.
As we discussed in the Salon, donors and international development organizations already underfund normal IT services, and data security is no exception. All these practices take time, which is money, and need to be applied to dozens of programs in a myriad of countries, where we may already be skirting data laws.
For example, most of us in this field would say we are collecting data of a country’s citizens on behalf of their government, but do we truly hand over all our data to governments? Or even better, build on their existing systems to begin with? And what if the government’s laws conflict with the donor’s contractual requirements (like say USAID’s ADS 579 on Open Data)?
We are already data security sinners. Will GDPR really make us repent?
GDPR: The Catalyst for Change!
GDPR is already having great influence in the countries where we work. South Africa has the PoPI Act, the Philippines has its own data protection laws, and more countries are considering implementing similar efforts. They sure aren’t following the USA’s lead in net neutrality, the CLOUD Act, FOSTA-SESTA, or SOPA.
GDPR should also influence us all to consider every aspect of how we interact with our digital constituencies. Take for example the concepts of consent, delete, and breach in international development.
- How can we get truly informed consent when working with marginalized populations? How do you explain cloud servers and deanonymization to a poor farmer?
- Could we actually delete someone’s data if they asked? Do we even know where their data is and who has access to it now, or worse, the day after the project ends?
- What protocols do we follow if we have a data breach? How would we notify those with compromised data? What if it’s national data, or from those offline?
Each of these questions should lead us all into long, thoughtful conversations with our program leads, IT staff, donors, constituents, and other stakeholders about the real-world tradeoffs. Every organization should fear its own Cambridge Analytica-Facebook moment – especially since doing so is counter to the spirit, if not the actual law of GDPR.
Want more GDPR resources? Digital Impact’s GDPR Guide is an excellent starting place for organizations concerned about their data governance.
Great update thanks, many of the answers can be found in the ICRC/Brussels Privacy Hub Handbook on Data Protection in Humanitarian Action http://www.data-protection-handbook.icrc.org
For the statement “It only applies to you if you aim for EU clients or have an EU presence.” – I think with the GDPR, a website available in the EU that an EU people can register on and access, defines an ‘EU presence’ . To me ‘EU presence’ implies EU based staff/offices. So it may catch more US organisations than the article implies.
Another note is that the GDPR is not specific to EU citizens, rather people who are in EU countries. So a US citizen in France (even temporarily) would be covered by the GDPR.
The above examples are perhaps areas where US or other non-EU organisations might (unwittingly) fall foul of the GDPR.
These comments are from my personal understanding of the GDPR, so am happy to be corrected if anything I’ve mentioned is incorrect.
Many smaller organisations even in the EU are having trouble really getting to grips with what it means and how it should be applied. In the end though as the article states, it is all just very good practice and would be great to see it much more widely adopted than just the EU.
Alex: “EU Presence” is a common confusion. From the advice I’ve received so far – from lawyers and the like – is that EU presence means either staff or office in EU, or a specific focus on EU residents. Anyone residing in the EU (regardless of nationality), is covered.
There is still much debate on the specifics, and I am sure years of litigation, before we get true clarity.
Hi Wayan,
Thanks for writing this up! I agree with Alex. The article implies a much narrower scope for GDPR than is actually the case (wish I had been at the Tech Salon!). Since our company has been going through a multi-month process to ensure that we meet all GDPR requirements, we’ve been deep in getting a legal understanding of who it applies to (in consultation with lawyers and security specialists who are specializing in GDPR compliance). While the GDPR is a pretty sprawling legislation, and the contours of the legislation may change over the next few months and years based on EU judicial rulings on court cases brought under the GDPR, a very fundamental consensus around the GDPR is the following:
It applies to any organization that collects data on any EU citizen.
And the legislation is very clear that the type of data collected includes basic information like names, email addresses, employee records and employee performance even. So the following sentence in the above article I believe is, in fact, incorrect:
“If you are a US-based organization, focused on serving clients in Sub-Saharan Africa, South Asia, or Latin America, and do not have an EU presence, you do not need to follow GDPR, even if there are EU citizens or dual nationals in your global constituencies.”
Even a US-based organization that does not have EU offices and does not specifically direct its programs at EU citizens that has even a single EU citizen/dual national would, by definition, have data on that EU citizen (e.g. their HR records). The GDPR gives that EU citizen certain rights to that data and, hence, this US organization needs to be GDPR compliant in order to provide those rights to that employee.
Similarly, a US organization that is, say, *only* working in Sub-saharan Africa cannot, with certainty, know whether any individuals who it surveys, or enrolls in its programs, is not an EU citizen or national. It very well *could*, at any point in the future, collect data on EU nationals. Or EU nationals could sign up on its website to donate money or receive a newsletter from the organization. All these are types of data that are being collected on EU nationals that fall under the scope of the GDPR. These organizations would also need to ensure GDPR compliance, or update their systems to prevent EU nationals from, say, donating funds or signing up for their newsletters.
Of course, all the above is different from the question of implementation of the legislation. Whether organizations that should be GDPR compliant but fail to do so will be held accountable is unlikely, as the focus of the EU authorities will initially likely be to go after the Facebooks and Googles of the world, which will tie up their resources for years. International development organizations are very low in that totem-pole.
We will need to agree to disagree on GDPR’s scope. That said, I don’t think anyone knows for sure at this stage. We can surely agree that it will take months of legislation and litigation before we know for sure.