The General Data Protection Regulation (GDPR), Europe’s new privacy law that increases the protection of personal data, is surprisingly comprehensive. But is your organization prepared for this coverage?
Under GDPR, EU residents have the right to know who has their data and can request access to, rectification of and deletion of their data in a timely manner. To comply, organizations must delete data not collected as stipulated under GDPR, review their data governance practices and get rid of legacy systems that store unnecessary data.
GlobalGiving has distilled some of the legalese for quick reference:
- An individual may request that an organization delete all data on that individual without undue delay.
- An individual may prohibit certain data uses by easily being able to opt-in and opt-out of activities.
- Individuals may request that incomplete data be completed or that incorrect data be corrected.
- Individuals have the right to know what data about them is being processed and how.
- Individuals may request that personal data held by one organization be transported to another.
Calling GDPR the most comprehensive data protection regulations he’s ever seen, techsoup’s Stephen Jackson says, “Data protection and data privacy are simply on everyone’s minds these days.” In 4 Things Your Nonprofit Actually Needs to Do Before 2019, he wrote:
“Earlier this year, Meltdown and Spectre stopped heartbeats across the planet when certain computer chip vulnerabilities were revealed. Between that and a spate of data breaches over the past few years, donors, beneficiaries and anyone involved with your nonprofit now expect you to take certain measures. You must ensure that the data you keep and collect is done so with their safety and privacy in mind.”
Jackson also recommends that organizations move to the cloud for its significant security enhancements over traditional computing. He writes, “In most cases, it’s also constantly updated to keep in line with changing security regulations — such as GDPR.”
More critical GDPR information for organizations can be found by reading GlobalGiving’s Six Facts Every Nonprofit Leader Needs To Know About GDPR. Kevin Conroy, GlobalGiving’s Chief Product Officer, reveals six important facts nonprofit leaders need to know about how the EU’s landmark data privacy legislation could impact operations at your nonprofit.
Two particular points will interest nonprofit organizations: the concepts of consent and legitimate interest. At first glance, compliance with consent might appear easily solved with current Terms of Service Agreements, but, according to GlobalGiving, “Consent must be specific to distinct purposes. Each distinct purpose and usage has to get specific and separate consent from the user. Silence, pre-ticked boxes or inactivity does not constitute consent. Data subjects must explicitly opt-in to the storage, use, and management of their personal data.”
And legitimate interest, in the case of GDPR, is a common sense expectation for processing the data in a transaction, and the interests and rights of the individual always trump those of the organization.
The example used by GlobalGiving is that when processing a donation “there’s a legitimate interest for passing their credit card information to the bank to handle the charge, to record the transaction in a database, to run fraud prevention checks, and to email a receipt to confirm the transaction.” Separate opt-ins would not be required. “Legitimate interest, however, would not be a basis for you to add the same donor to your newsletter or marketing emails.”
For organizations not working with EU residents, it’s worth noting that compliance with the GDPR standard can be a best practice in data management of personal information and is also under consideration by other nations.