The European Union enacted a new set of rules called the General Data Protection Regulations. EU General Data Protection (GDPR) gives individuals in the EU (known data subjects) the right to access, retrieve, correct, erase, and restrict processing of their personal data. While this regulation is geared toward data collectors, such as Facebook, Google, and Microsoft, it is applicable to all organizations that have data of European Union citizens, or of people who reside in the European Union.
While GDPR is an EU specific legislation, the data privacy and ownership concepts that it introduces will be adopted by other countries or states soon.
California recently passed a revived version of a data privacy bill known as the California Consumer Privacy Act of 2018 (CCPA). It was initially introduced in 2017 when it was known as AB-375. This bill was initially geared toward protecting the privacy and data ownership of people using an ISP. The final bill goes into effect on January 1, 2020. It also contains protections for an individual’s data, however, it does have more specific language as to larger companies targeted by the law. Nonprofits aren’t a target of this legislation and may be exempt from the legal requirements of the law.
GDPR has only been active since May 25, 2018, and much of the case law that will inform how these regulations will be implemented and enforced has yet to be generated. While the legal impact and fines of these privacy laws have yet to be seen, they do provide some legal teeth to good data privacy practices. While nonprofits are not the target of these laws, it is wise to look at the intent of the regulations and use them as a reference to adopt good data practices.
Good Data Practices
- Start with a policy and find the technology to support it
- Be clear about the data that you are collecting, and how you are using it
- Have your data policy reviewed by your organization’s Legal Counsel, or a firm that has expertise in the area of data regulations.
- Have a clear policy and practice around removing people from your systems
- Have a clear procedure and process for responding to a data breach
The Data Protection Commissioner of Ireland has developed a very good website that provides an overview of the 12 considerations for implementing the GDPR regulations http://gdprandyou.ie/gdpr-12-steps/
This article from WIRED is a good overview of the new law.
More resources from our partners on EU General Data Protection:
From Idealware: https://www.idealware.org/gdpr-organization-ready/ Includes a detailed list of further resources on legal aspects.
From Build Consulting: https://buildconsulting.com/does-californias-new-data-privacy-law-apply-to-non-profits/ an update on the new Californian law and further information on GDPR.