GDPR stands for the EU General Data Protection Regulation, and it comes into effect on 25 May, 2018 across the European Economic Area (EEA). It is a comprehensive set of regulations that describe how organisations can obtain and make use of data about people -- or, in the terms of the regulation, ‘EU data subjects’.
Broadly, the GDPR’s approach is to suggest that organisations only collect data that they really need (privacy by default), and when they do collect that information, to ensure that it is stored as securely as possible (privacy by design). It also extends the rights of individuals to understand how their information is being used and to specifically opt-in to those uses. Users also have the right to access the information held about them, to correct information held about them, and to have that information deleted.
There are several main ways that the GDPR differs from previous regulations.
Requirements for data policies: Organisations must keep a clear and current record of the data it captures and processes.
Extra-territorial applicability: Even if the organisation isn’t based inside the EEA, it must comply with the regulations if its interacting with EU ‘data subjects’. Initial guidance isn’t so clear on how this term is defined, but it seems to mean EU citizens and residents who are physically in the EEA -- so, for example, this wouldn’t be applicable to an EEA citizen in Switzerland, but it would apply to a Swiss person based in France.
There must be clear, lawful basis for collecting or processing data: There are six lawful reasons for collecting data. The one that is most relevant to foraus and OpenTTN in terms of newsletters and such is probably ‘consent’. But there are also contractual and legal reasons for collecting data on employees, for instance.
When consent is the legal basis, it must be specific and on an ‘opt-in’ basis: Each specific use of data must be clear to the subject (no long, jargon-heavy terms and conditions) and they must give explicit consent for that use of information (e.g. receiving a newsletter). This can be done through blank tick-boxes. A record of that consent must be maintained. Additionally, consent may expire over time – for example, if someone registers for an event and consents to receive email about the event, it’s not unreasonable to send reminders in advance of the event. Follow up from the event (e.g. requests to complete a survey, or sending links to the event video or event report) may be in a grey area depending on what attendees have specifically consented to, but are probably justifiable. Invitations to future events, however, would not be permitted, unless they have specifically agreed to receive future event invitations.
Users have the right to access all data held about them and for that data to be deleted: Under current regulations, users can reasonably request information held about them. But under GDPR, non-proprietary data must be provided in a common file format (like XML or CSV documents) and within a one-month period (which is shorter or longer depending on the month). If a user requests, the organisation must delete or remove some or all of the data held about that person.
Requirements to notify of data breaches: Organisations may be required to notify users in the event of certain types of data breach. They are also required to notify the local regulatory authority (it’s unclear who this would be in the case of organisations located outside the EEA, and it’s unclear how this can be enforced in practice).
There are BIG fines for non-compliance: Fines of up to EUR 2m or 4% of global turnover are applicable and there is no distinction made between companies or not-for-profit organisations.
OpenTTN member organisations might want to receive legal advice on the steps they may need to take to become GDPR compliant. However, general recommendations include:
Performing a data audit: One of the main requirements of the GDPR is for organisations to maintain a record of the data that they collect. One of the first steps, therefore, is to get an overview of the different data that each organisation collects. This may include things like membership information, payment information, analytics collected about users of the website or other social channels, etc. It’s also important to understand who does (and, importantly, who does not) have access to that information and how securely that information is stored and transferred. We have developed a data audit template, which will be shared separately and could form the basis of this audit. And finally, check with any third parties (e.g. payment processors, web hosts, technology partners, etc.) to make sure they are compliant with GDPR.
Determine the lawful basis for collecting that information: Not all data that is collected will be subject to specific consent, but much of it will be. If consent is required, it will be important to make consent clear, specific and on an ‘opt-in’ basis. If you have data that requires consent, but that consent is not already on record, it’s important to initiate a process that re-confirms that consent.
Update privacy policies and/or terms of service: Ensure that these documents are GDPR compliant and that they reflect your revised data collection and utilisation. We will also share examples of privacy policies, where possible.
Setup systems: In order to inform regulators and/or users about a possible data breach, it’s important that there are systems in place to monitor for a data breach – whether through hacking or through accidental sharing of information with people who shouldn’t have had access. It’s also important to have systems in place to respond to requests from users about their data and to delete any information that we may have about them.
The UK regulator, the ICO, has a great Guide to the GDPR
How to prepare for GDPR and data protection reform from the UK’s NCVO
Written by Jeff Knezovich for OpenTTN and funded by Larix.. This should not be considered as legal advice, but rather guidance. Your organisation may want to consult legal advisors in your own country.