Sound exciting? Probably not, but what some are calling the “most important change in data privacy regulation in 20 years” goes into effect this May, and it will have implications for organizations around the globe.
What happens in the EU, doesn’t stay in the EU.
Two years ago, the European Parliament approved the General Data Protection Regulation (GDPR). According to the EU GDPR Portal, this legislation is meant “to protect all EU citizens’ data privacy and to reshape the way organizations approach data privacy” and will start being enforced on May 25.
Though non-EU residents may not enjoy the same rights as those on the Continent, the GDPR will reach beyond Europe’s borders to put an additional onus on organizations. Specifically, non-EU companies and non-profit organizations that process personal data of any resident within the European Union must also comply the GDPR.
Personal data is not limited to government ID numbers and financial information. It also includes names, photos, email addresses, posts on social networking sites, medical information, and IP addresses. Odds are, even if you are a small nonprofit, you’ve collected an EU resident’s personal data through online donations, e-signatures on petitions, or e-newsletter sign-ups.
What happens if your organization gets caught not complying? The penalties for noncompliance can be massive. The most serious infringements can cost your company €20 million.
Protect your supporters’ data privacy to protect your organization.
With the clock ticking, your organization should act now to address how you will comply with the GDPR and implement your strategy well before May 28. There are several restrictions and directives to consider, which you can and should review online. To help you get started, though, here are just a few actions your organization should take to meet compliance:
Provide clear instructions and explanations to your constituents.
GDPR rules apply before your organization even collects anyone’s personal data. EU residents have the right to know if, how, when, where, why and by whom their personal data will be used and processed. You are responsible for providing this information without any confusing legalese before anyone even provides you with their information.
Develop a rapid response communications strategy.
In case of a data breach, you’ll now only have up to 72 hours to notify your constituents that their personal data may have been compromised. Create a template for what information you will have to provide, and have a strategy for how you will get the information directly to each of your constituents. A Facebook post does not count as notification.
Also have a system in place for ceasing communications. Reaching out to someone who opted out of your newsletter could land you in hot water.
Establish a Process for Deleting Data
The right to erasure, most commonly known as the “right to be forgotten,” is intended to protect EU citizens from being haunted by their pasts, essentially. At first glance, it may seem that that should not affect organizations, but consider the example of applying to a job. Applicants might be concerned that the businesses they are interviewing with may not approve of them belonging to or supporting associations that conflict with the mission and values of the prospective employers.
No matter what the scenario might be, EU citizens have the right to have aspects of their online presence deleted, and your organization must comply with requests to have data deleted and must delete data that is no longer being used for its original purpose.
Make data protection a part of all that you do.
It’s been discussed on the Tech in Ten podcast time after time: too many organizations think about security for websites and online databases after they are built. On May 28, this won’t be just a terrible idea that could cost you time and money. It will also be an infringement of the GDPR that will cost you additional money in penalties. Data protection must be included when your go to design a system, not added on later.
Let Infamia Help
Infamia is available to offer direct support and has also developed a webpage to help you navigate this complicated regulation so your organization can be in full compliance before May 28. There is a lot to cover, so keep reading the Infamia blog and listening to Tech in Ten for updates, as well.