As inboxes full of updated privacy notice emails can attest, the General Data Protection Regulation (GDPR) is here. The GDPR is the EU’s regulation on data protection, which came into force on May 25th and grants individuals greater knowledge of and control over their personal data. As a regulation, it is a binding legislative act, not just a directive, and will be directly binding and applicable in EU member states.
Civil society organisations face unique, sometimes daunting challenges to implementing the GDPR. Some of these challenges are specific to the GDPR, but most relate more broadly to how we interact with technology and data as a sector. Facing each challenge thoughtfully will help us think more clearly about what we’re doing and how we can do things better in future, not just for the GDPR but for our constituents, too.
At its core, the GDPR means we can no longer gather personal data “just in case”, and that we must clearly articulate why we need to collect and store it. The Engine Room’s work focuses on supporting civil society to increase their impact through strategic, responsible use of data and technology. The attention on the GDPR has given us a lot of opportunities to continue developing and sharing these intentional approaches.
Treating GDPR compliance as a one-off endeavour is a potential pitfall facing NGOs tackling implementation. As it stands, NGOs may already be pursuing technology and data projects in one-off bursts, without considering ongoing tool maintenance or how technology integrates into existing work. We’ve long advocated for taking a more critical and strategic approach to implementing technology and data projects, and think that there is a lot to be gained from doing the same when it comes to the GDPR.
By taking the time now to build strong processes, we can support our organisations’ data governance processes well into the future. Creating processes – like guidance documents on regularly deleting data you don’t need (after considering its value carefully!) or steps for responding to a data breach – can be much more valuable than any one-off checklist. Thinking about compliance as an attitudinal shift, not a single-day project, is key.
Some organisations may see GDPR as an ‘operational’ issue that is peripheral to their overall mission and de-prioritise it as a result. There is a long history of operational issues receiving less attention and fewer resources within the sector. This happens both because organisations lack operations-focused staff with the necessary skills, and because funders are not always willing to provide core funding for organisational development.
When implementing the GDPR, it can be helpful to dedicate an internal point-person (or team) to managing the process of compliance. It might be useful to establish an explicit internal prioritisation of operational tasks, and have a conversation with funders about the necessity of this prioritisation. In our case, it meant creating internal educational documents and templates that would help the entire organisation understand the importance of the GDPR and how it will enhance our work going forward. No matter what, it means realising that strong operations, policies and practices are fundamental to building strong programmes and achieving our mission(s).
One of the great (but tricky) things about the GDPR is that it’s cross-organisational. It affects all data held – whether for finance purposes, communications or programmatic work – and it affects the activities of technology teams. That’s to say, it’s complex.
But so are the challenges that civil society organisations tackle. We’re already mapping information flows, connecting disparate ideas and trying to increase collaboration, sometimes on a daily basis. These same tools are critical in continued adherence with the GDPR. At The Engine Room, we managed this kind of GDPR-specific collaboration by creating things like an audit document that outlines everywhere we hold personal data, how we collect it and who is involved. This required input from every corner of our organisation, and sparked conversations that are continuing today.
The GDPR also provides an opportunity to look outside of our organisations to find new ideas and collaborators. There are many existing networks that bridge NGOs and technology, and the GDPR offers an opportunity to both grow these and create new ones. As one example close to us, the GDPR has popped up on the responsible data mailing list, a space where people share challenges and develop best practices to prioritise the rights of those reflected in the data we hold. It also was the topic of a community call, which highlighted both shared concerns and resources. The eCampaigning Forum (ECF), a network of practitioners using digital media for advocacy, also has a very active mailing list where the GDPR has been under detailed discussion.
Thinking about the GDPR is a valuable opportunity for many NGOs to consider our data in a more holistic way. By placing the GDPR within a larger context of building responsible data practices, we can increase the effectiveness of our projects and better serve our partners and the communities we work with and for. After all, it isn’t just about the GDPR itself, but about the ethical management of the data we hold.
To take this broader approach, it’s important to find communities that perhaps work in a similar area as yours and who also want to make their responsible data practices an ongoing project. For specifics, see a little bit of what we’re doing about implementation. Remember to document, document, document, as demonstrating an intent to prioritise the data rights of individuals will always be a good thing to have in your favour. Use the GDPR as an excuse to do a ‘spring clean’, and take stock of your work, but also make sure to think about how it interacts with your long-term processes.
The GDPR presents a challenge for many resource-strapped organisations, but it is one that we can all face together. With collaboration and coordination, we hope that its implementation will be a positive step for the sector’s long-term tech and data projects.