The General Data Protection Regulation is coming on May 25th and you should be worried. If you operate in the EU or focus on EU-based clients, then the sweeping new data protection law will apply to you, with multi-million dollar fines per violation.
It mandates that we will need to be clear and concise about our collection and use of personal data like full name, home address, location data, and IP address of our EU constituents.
Moreover, constituents will gain the right to access data we store about them, the right to correct inaccurate information, and the right to limit the use of decisions made by algorithms, among others.
GDPR Doesn’t Apply to Everyone
Now, there is an out. As we learned at the Will GDPR Finally Force Us to Embrace Responsible Data Practices? Technology Salon that featured Anna Arnaudo, AAAS Science & Technology Policy Fellow, USAID, Karen Reilly, Data Protection Officer, TechGDPR, and Tim Tobin, Partner, Hogan Lovells, GDPR is actually pretty narrow in focus.
It only applies to you if you aim for EU clients or have an EU presence. For example, it applies only to the fundraising appeal targeted at people living in EU-member countries, or to the data the European branch of your organization collects.
If you are a US-based organization, focused on serving clients in Sub-Saharan Africa, South Asia, or Latin America, and do not have an EU presence, you do not need to follow GDPR, even if there are EU citizens or dual nationals in your global constituencies.
However, should you really celebrate escaping the best data privacy law of the past 20 years?
GDPR is Responsible Data Best Practice
GDPR really isn’t a new law, and it doesn’t really ask for an new actions. Anyone who has really thought about online privacy and and data security will see many best practices enshrined in the law, and celebrate the EU coming to our digital rescue (again!).
You are already implementing these responsible data practices already, right?
- Privacy by Design
- Privacy Impact Assessment
- Data Flow & Mapping
- Data Access Control
- Responsible Data Policy
We Are Not Responsible Data Actors – Yet
Actually, you are probably not implementing any of those processes.
As we discussed in the Salon, donors and organizations already underfund normal IT services, and data security is no exception. All these practices take time, which is money, and need to be applied to dozens of programs in a myriad of countries, where we may already be skirting data laws.
For example, most of us would say we are collecting data of a country’s citizens on behalf of their government, but do we truly hand over all our data to governments? Or even better, build on their existing systems to begin with? And what if the government’s laws conflict with the donor’s contractual requirements (like say USAID’s ADS 579 on Open Data)?
We are already data security sinners. Will GDPR really make us repent?
GDPR: The Catalyst for Change!
GDPR is already having great influence in the countries where we work. South Africa has the PoPI Act, the Philippines has its own data protection laws, and more countries are considering implementing similar efforts. They sure aren’t following the USA’s lead in net neutrality, the CLOUD Act, FOSTA-SESTA, or SOPA.
GDPR should also influence us to consider every aspect of how we interact with our digital constituiences. Take for example the concepts of consent, delete, and breach in international development.
- How can we get truly informed consent when working with marginalized populations? How do you explain cloud servers and deanonymization to a poor farmer?
- Could we actually delete someone’s data if they asked? Do we even know where their data is and who has access to it now, or worse, the day after the project ends?
- What protocols do we follow if we have a data breach? How would we notify those with compromised data? What if it’s national data, or from those offline?
Each of these questions should lead us all into long, thoughtful conversations with our program leads, IT staff, donors, constituents, and other stakeholders about the real-world tradeoffs.
We should all fear our own Cambridge Analytica-Facebook moment – especially since doing so is counter to the spirit, if not the actual law of GDPR.