Achieving compliance with the GDPR takes all three.
PEOPLE: Not just IT
- Who is accountable for compliance?
- Who is responsible for compliance activities?Awareness and Training
• Train privacy personnel & employees
• Make them aware of their obligations Employ a Data Protection Office (DPO) – If Required Designate
• EU Representative – If Required Define your data governance
• Overarching strategy for managing and protecting data
What to watch out for On your website:
- Donation Forms
- Email Sign Up Forms
- Contact Us Forms
- Other Website Forms
- Online Preference Center (for managing consent)
What to watch out for In your applications:
- Third-party plugins and SDKs
- iTunes/Play store requirements
- Integrated third-party services (e.g. Flickr, analytics, social, eCRM)
- Hosting providers
What to watch out for:
With public facing policies on Website and in Apps
- Terms and Conditions
With your digital marketing & fundraising
What to watch out for:
With internal process/procedure for
- Fulfilling person’s right to be forgotten
- Fulfilling person’s right to export their data
In accountability & governance
- Contracts with tech/service providers
- Board member liability
GDPR in monitoring and evaluation
• Organizations often collect highly sensitive personal data from vulnerable people.
• Privacy protection has been a low priority for many international NGOs: “Other activities are more important to our mission”; “It’s too complicated and we don’t know where to start”; “Privacy isn’t as important in developing nations”.
• Sometimes disease surveillance conflicts with privacy, e.g., precise GPS location of Ebola incidents.
• The risk to vulnerable people has increased with the advancement of digital information. A poorly secured database in a war zone can facilitate genocide by revealing ethnicity or religion with addresses.
GDPR can mobilize organizational resources
• GDPR will oblige NGOs to take privacy protection seriously at the senior management and Board level.
• Privacy protection requires an organization-wide initiative. It isn’t easy.
• For example, take encryption. All sensitive personal data should be encrypted at rest as well as in transit. However, if you use encryption you need to ensure that the encryption key is stored, updated, shared with the right people, and not lost if someone leaves the organization. It involves a set of management processes. Most organizations find encryption management too complicated so they externalize the cost, putting the risk on their clients. GDPR’s penalties are intended to stop that approach.
Recommended Resources for GDPR Compliance – Start Here
• If you only use one resource, we recommend the general guidance on GDPR compliance from the UK’s Information Commissioner’s Office (ICO) – https://ico.org.uk/for-organisations/guide-to-the-general-dataprotection-regulation-gdpr/