This is meant as a guide and is not legal advice.
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union. It creates new requirements for organisations based in the EU as well as organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU 'data subjects'. It is important to note that the UK will also be included under the GDPR even after Brexit.
The GDPR also applies to Civil Society Organisations (CSOs) and even activist groups that handle data or collect information (like email and contacts) about their supporters. That's why it's important to learn about the GDPR requirements: not only because it's a step towards better usage and storage of data, but also to avoid any legal complications that might affect the work you are doing.
“Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors – meaning 'clouds' will not be exempt from GDPR enforcement.” (EU GDPR)
In the GDPR definition (Article 4, page 111), personal data is “any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
This includes names, postal or email addresses, phone numbers, and digital information such as IP addresses.
Does your organisation or group collect and process personal data? Many organisations do collect personal data in the form of contact databases of private donors, event attendees or participants in conferences and workshops, and even job applicants. This is mostly kept for the sake of outreach, fundraising and network building; nevertheless, it is regulated under the GDPR as processing of personal data, thus CSOs and grassroots groups are expected to abide by the regulations to avoid legal and financial consequences.
Make sure everyone at your organisation is aware of the compliance requirements under the GDPR and stay informed as an organisation. Above all, make sure you can demonstrate your compliance with the GDPR by understanding which part applies to the data you are collecting and how you are handling it.
Keep these questions in mind while working with data:
Which third-party platforms or services are you using?
You can also apply encryption as a strategy to protect data, and make sure to protect your devices from malwares. Click here to learn more about how to do that. For data in hard copies, make sure it is stored securely and is protected.
Note: you are obliged to notify data subjects in case of a data breach or any other ways in which their data may have been compromised.
In the future, when collecting data at events or when collecting data from online communications, make sure that those working with the data are aware of the compliance requirements, and make sure any form includes both the data collected and the individual's consent. In general, make consent an essential step when collecting data of any kind.
Provide clear and accessible ways for people to modify their consent agreement, and a clear option to opt-out.
Always be transparent about what data you are collecting, and make sure this is reflected in your data use policy.
Share the contact information of your in-house data protection officer to make it easier for people to contact you for enquiries or complaints.
At least in the initial period, keep track of the data your organisation is collecting and how it is being stored and handled; stay up-to-date with news and resources released; and make sure your data protection officer is informed and is responding to data-related requests and queries according to the regulations.
Data subjects shouldn't at any time be denied service if they refuse to provide additional data that is not justifiably related and strictly necessary to the service provided.
When someone signs up to your organisation's newsletter or email list, you must provide an active opt-in, not a pre-ticked box or silence-as-consent, as many companies and organisations did previous to the GDPR.
Under the GDPR, organisations are also required to notify their users and/or subscribers if their data is going to be used for any form of "segmentation" of audience or for a special email list based on their specific interests or behaviours. This would require another layer of consent, or the organisation must have a 'compelling reason' that is demonstrable under the GDPR to collect and use this information.
What to do with existing subscribers
It is important that you first review the terms of consent under which your subscribers gave their approval. If they are compliant with the GDPR and you can prove this through apt documentation, then you do not need to do anything. Though it would be a good practice to send a reminder to your subscribers about your data use policy, their options and rights under the GDPR, and provide them with the contact of your data protection officer.
If the consent wasn't obtained in compliance with the GDPR, or your documentation or records do not show the consent process that meets the GDPR requirements, then you will need to delete all this data entirely and start building your subscriber lists in accordance with the GDPR. It is important not to re-contact users or subscribers who have previously opted out.
Under the GDPR the information you provide in your Data Use Policy must be:
Concise, transparent, intelligible and easily accessible; Written in clear and plain language (with special attention to when children are your data subjects) Free of charge.
You should also include, according to the language and conditions mentioned above,
In compliance with the GDPR, and as a general rule to respect user privacy and data rights, be explicit when asking for consent to collect and use their data: including the data you will collect and the specific type of communication you are requesting consent for, as well as how you will store and process the data. Consent should be given separately on these issues: type of communication, data you will collect, and the way you will process it. You can do this by providing empty boxes for the users to select (with the option to deselect them and opt-out at any time). It is important to use plain and accessible language.
It would be a good general practice-turned-habit to remind subscribers that they have the right to the accessibility, rectification, cancellation, opposition, limitation and portability of their data, and to always include links to your data use policy, including a clear link to where users can unsubscribe or modify their data, and a contact to your data protection officer.
Organisations should only collect personal data for a specific purpose, clearly state what that purpose is, and only collect data for as long as necessary to complete that purpose.
Organisations must only collect and process the personal data that they need to achieve the declared purpose.
This lays responsibility on the organisation to process the data lawfully, fairly and in a transparent manner in relation to individuals.
The accuracy of personal data is integral to data protection. According to the GDPR “every reasonable step must be taken” to erase or rectify data that is inaccurate or incomplete.
Data subjects have the right to request the modification or erasure of inaccurate or incomplete data within 30 days.
When data is no longer necessary, you are required to delete it or dispose of the documents in a secure way.
According to the GDPR, personal data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
Under Article 5, “the controller" (which is the CSO in this case) "shall be responsible for, and be able to demonstrate, compliance with the principles.”
As an organisation, it is important to understand the rights of the data subjects (your users, subscribers, participants, applicants and anyone whose data you collect) to make sure you respect them in compliance with the GDPR.
As a data subject you have:
the right to view your data: you should be able to access your personal data free of charge
the right to be informed: you have the right to know and understand what data is collected about you, how it is used, and why, in accessible language. You also have the right to know how and if you are profiled.
the right to be forgotten: without a ‘compelling reason’ to keep your data, an organisation must delete it upon request.
the right to move your data: you can obtain and reuse your personal data with other services and providers.
the right to say no: you can stop direct marketing and data processing when there’s no ‘compelling reason’ to store it.
the right to secure handling: you have the right to have your data handled in a secure and protected way.
the right to limit how your data is used: you can block and put restrictions on how your data is used if it's inaccurate or unnecessary. If the organisation or company refuses to do this, you can contact the new Data Protection Regulation and they will take action.
the right to make changes to your data: you can update any data about you that’s out of date or false
the right to human-made decision making: users have the right to know how automated decisions about them are being made and have the right to stop them if this has legal or significant consequences. Users have the right to ask for human intervention, and they have the right to contest the decisions made.
Consent - freely given, specific, informed and explicit consent by statement or action signifying a person’s agreement to the processing of their personal data.
Data Breach – the loss of data by an organisation, usually as a result of hacking or similar activities.
Data Controller - organisations that collect and manage personal data from EU residents.
Data Portability - the requirement for controllers to provide the data subject with a copy of his or her data in a format that allows for easy use with another controller
Data Processor - organisations that process data on behalf of a data controller including third parties
Data Protection Officer – the person responsible within an organisation for ensuring it is compliant with data protection laws and regulations, and for controlling that organisation’s data protection policies and procedures.
Data Sharing – the process through which different parts of an organisation, or different organisations, share data with each other.
Data Subject – the person / an EU citizen or a person living in the EU about whom data is collected or held.
Encrypted Data - personal data that is protected through technological measures to ensure that the data is only accessible/readable by those with access.
GDPR – General Data Protection Regulation. The new EU-wide data protection legislation that comes into force on 25th May 2018.
Information Commissioner’s Office (ICO) – the UK regulator responsible for data protection.
Lawful Processing – the means by which organisations collect and manage people’s data (see also consent and legitimate interest).
Legitimate Interest – where GDPR-compliant consent has been given previously, and organisations have evidence of this, personal data can continue to be used without the need for refreshed consent, provided that the interests of the data subject are not harmed.
Personal Data - any information related to a person or ‘Data Subject’, that can be used to directly or indirectly identify the person.
Privacy Impact Assessment - a tool used to identify and reduce the privacy risks of organisations by analysing the personal data that are processed and the policies in place to protect the data.
Processing - any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.
Right to be Forgotten - also known as Data Erasure, it gives the data subject the right to ask the data controller to erase their personal data and stop sharing it.
Subject Access Right - also known as the Right to Access, it entitles the data subject to have access to and information about the personal data that a controller has concerning them.
Sensitive Personal Data - this relates to information concerning a data subject's racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences.
GDPR Explained An informative resource prepared by a group of organisations (EDRI, Panoptykon, Bits of Freedom, Open Rights Group, Digital Rights Ireland, Xnet, Digital Courage, and ApTI Romania.
Friends of the Earth GDPR compliance guide for their local groups.
_ This article was written by Leil-Zahra Mortada. Thanks to Djordje Krivokapic, Fieke Jansen, Daisy Kidd, and Marek Tuszynski for their insights._