The European Union's General Data Protection Regulation (GDPR), which went into effect in 2018, informs the many privacy regulations emerging globally and at the state level in the U.S. For many U.S.-based organizations, GDPR compliance has meant adding cookie notices to website footers, but it hasn't extended much past that. However, the steady stream of new data privacy regulations makes it important to understand what GDPR protections mean.
GDPR, and the many privacy regulations that build upon its principles, define an individual's rights to their own data. With these rights come responsibilities that organizations need to be aware of and be able to uphold.
For example, GDPR provides guidelines on the collection and use of personal data and establishes a set of basic rights for individuals whose data is being collected or used. An individual's rights include the right to be informed about data collection, the right of access to one's own data, the right to rectify, the right to erasure, the right to data portability, and the right to object to how data is being used.
This is a tall order.
For many organizations, the ability to comply with privacy laws requires a rethinking of data management — but this is also an opportunity to apply key principles of data ethics toward internal practices.
Do These GDPR Principles Still Matter If We're Not in the EU?
GDPR applies to any resident of the EU, but individual rights are included and even extended in the laws that have passed in states such as California, Colorado, and Virginia, as well as many countries around the world. Further, as our boundaries become increasingly fluid in a digitally connected world, it is likely that organizations may be collecting personal data from EU residents through newsletter sign-ups and other seemingly benign collection points.
Steadily rising rates and the evolving sophistication of cyberattacks also add a layer of risk to any digital assets, particularly personal data. Breach notifications are an important part of every privacy law, and there already exists some form of breach notification rule in each of the 50 states. As well, the increasing collection and use of personal data for personalized, targeted marketing is causing individuals to reevaluate their practices around sharing personal information.
These forces are causing many nonprofit professionals to think anew about information that they collect and to reassess data practices, while making decisions about how to protect personal information.
Navigating the Terrain of Data Privacy and Data Ethics
Data privacy and data ethics both speak to the importance of data responsibility. The last several decades have completely transformed how information is collected, maintained, and used. This has brought opportunities, but also very real costs, particularly to those in vulnerable or underrepresented groups.
As organizations work to be compliant with the newly emerging regulations, there are new sets of questions to ask of our data. It is in asking these sorts of questions where we find a great deal of overlap between data ethics and privacy.
Here is a sampling of the some basic, starter questions that every organization should be asking:
- What sensitive information do we collect? How do we collect it and where do we store it?
- Do we need all of the data we're collecting?
- Do we clearly ask for consent before we collect an individual's data?
- Who has access to an individual's information once it's in our possession?
- Do we have clear policies about the collection, use, sharing, and destruction of data?
These sorts of questions form the basis of our organizational data inventory. Once we know (and document!) what we collect, store, and use, then we are in a much stronger position to meet compliance requirements and build in meaningful, ethical practices.
Assessing Your Data Management and Cybersecurity Practices
As responsible stewards of data, how can we ensure that an individual's information is secure once it is in our possession?
The answer is to establish responsible data management practices. That means ensuring that organizational data is truly owned by an identified data owner and not by "all of us."
Data management extends to the entirety of the data life cycle, from initial collection to archiving or deletion. Many organizations end up collecting more data than is needed while not having retention policies in place. Responsible data management means assessing each stage in the life cycle of data, asking questions and documenting the answers.
Here is a sampling of questions to ask at each of these life cycle stages:
- Whose data are we collecting, and in what format are we collecting it? What sensitive data are we collecting?
- Where is data stored, and who in our organization has access to that data? Are these systems protected from cyberattacks? Or even human error?
- Sharing and Transfer
- Do we share personal information between departments or with any outside organizations? What are we using to share it?
- Retention and Deletion
- Do we have policies regarding data retention? When we archive or destroy data, are we doing this securely?
At each of these stages in the life cycle, we also need to think about security and protection. With cyberattacks becoming both increasingly prevalent and sophisticated, it is more important than ever for organizations to have a cybersecurity plan in place that includes awareness training for all staff.
Data as an Asset and Liability
In the light of these new privacy regulations, we need to start thinking of data as both an asset and a liability. On the one hand, data is essential for providing valuable insights and improving organizational decision-making. On the other hand, mishandling data can lead to serious privacy breaches and can be costly and damage people's trust. As a result, it's more important than ever for nonprofits to think carefully about their data practices.
As technologies and threats are ever-changing, it's important to regularly review data systems for vulnerabilities or potential security issues. Of course, it is also important to stay up-to-date on emerging data privacy regulations.
Compliance with data privacy regulations has the potential to lead us to become more ethical, responsible users of individuals' data. Proactive data management practices have the added benefit of ensuring that our data is as much of an organizational asset as it possibly can be.
About the Author
Kim Snyder is the RoundTable Technology VP of Data Strategy. She has over 20 years of experience with data systems, business analysis, and change management, not to mention accolades as an Agile coach, a certified PMP (Project Management Professional), and a ACP (Agile Certified Professional). Kim has recently completed the CIPP/US certification as an Information Privacy Professional.
- Learn What You Should Know About the New California Consumer Privacy Act.
- See more on Data Privacy and Compliance at Nonprofit Organizations.
- Watch a webinar on Security and Privacy: What Nonprofits Need to Know.
- Take TechSoup Courses' Tech Planning 201: Developing a Data Strategy.
Top photo: Shutterstock