I was lucky enough to be in the room at the European Parliament in October 2018 when Apple CEO Tim Cook made an impassioned plea for a federal privacy law in the USA. It was something I thought I would not hear from a Silicon Valley CEO in my lifetime.
If that wasn't amazing enough, Mr. Cook left no room for misunderstanding when he declared that tech giants put profit over privacy and that their most dubious actions result in nothing short of surveillance.
He was, however, not all doom and gloom. He also made it clear that those who believe in "the potential of technology for good" should not give up hope, as "technology doesn't want anything." Rather, we must ensure that it is designed and developed to serve humanity, not the other way around.
The U.S. has yet to pass federal regulations as stringent as the General Data Protection Regulation (GDPR), though some states have passed their own. Nevertheless, data privacy remains top of mind for any organization — for-profit or nonprofit — that deals with the collection, storage, and use of an individual's data.
Complying with the rapidly increasing number of laws and regulations related to data privacy is much harder for nonprofits with limited budgets and staff than it is for large organizations with more funding, personnel, and resources. That said, it is typically easier to install or modify a "culture" in a small organization than it is in a large one.
Let's take a look at what creating a culture of data privacy might look like and how EU organizations are looking at data privacy.
Where employees and volunteers understand that the organization has a commitment to honesty and ethical corporate decision-making, including a responsibility to protect data, they are far more likely to treat data with care and respect. This, in combination with good processes and policies, means you are less likely to fall foul of the various laws and regulations that may affect data privacy. However, it never hurts to regularly challenge yourself and your organization to ensure that "thinking the right thing" translates into "doing the right thing." For starters, ensure that your organization is constantly asking itself basic questions like
In most cases, committing to this line of thinking will make your organization less likely to violate the most severe penalties that are enabled in these new regulations. The answers to these questions will also inform updates to your related policies and procedures.
Speaking of policies and procedures, I suspect many of you already have a good sense of your organization's ethics and compliance programs (formal or otherwise). Either way, it is advisable to review your policies and procedures specific to data ethics and privacy — especially before your staff, the public, or donors start to ask!
Since my last piece on GDPR for TechSoup, the International Association of Privacy Professionals, which I represent as the U.K. country leader, has released a couple of key documents that will provide you with some valuable benchmarks and insights into what others are doing to address privacy compliance.
One such tool is the IAPP-EY Annual Privacy Governance Report 2018. This provides results and commentary from a survey of many IAPP members and contains many useful insights. Below, I've listed some key takeaways that stood out to me.
Speaking of investing in data privacy, another report recently released by the IAPP is the 2018 Privacy Tech Vendor Report. There has been an explosion of privacy-related technology as a result of GDPR. This report analyzes much of the technology available today within different categories, including data mapping, incident response, website scanning, activity monitoring, and more. I recommend taking a moment to at least scan this report. It will give you an idea of recent developments in this field and perhaps point to some improvements you could make at your own organization.
Hopefully I provided you with some high-level "food for thought" as well some more specific resources in helping you think about your own privacy needs and how you might address them. In future posts, I would very much like to address common implementation issues that many of you are facing. In order to make this as valuable as possible, please do send in any questions, concerns, or challenges you have solved to legalteam [at] techsoup [dot] org. I'd love to use these as jumping-off points for the benefit of the rest of the nonprofit community.
Next time, I will also take a quick look at some common struggles that organizations are facing (maybe even where we are getting it wrong), and how regulators are approaching them. Stay tuned!