As the humanitarian relief and development communities have matured over many decades, ICT4D has shifted more recently from innovation to a catalyst for attaining target socio-economic development goals. Practitioners of ICT4D within international and local non-governmental organizations (NGOs), civil society organizations, United Nations (UN) agencies, donor agencies and private sector companies are increasingly aware of the inherent opportunities, risks, and ethical considerations involved with capturing, analyzing, and leveraging personal data about beneficiaries and subpopulations.
This has created a number of challenges. To follow increasingly strict regulations regarding data security, these organizations must understand and implement processes that adhere to the evolving data security laws that protect the people they serve.
Big changes and bigger costs
As parties in North America and Asia continue to strive toward common and workable global data privacy standards, with United States’ Health Insurance Portability and Accountability Act (HIPAA) and the Asia Pacific Economic Cooperation (APEC) Privacy Framework, member states of the European Union have also made strides on their own toward reaching these goals. Going into effect on May 25, 2018, the General Data Protection Regulation (GDPR) intends to strengthen and unify data protection for all individuals within the European Union (EU)—replacing the current Data Protection Act.
The regulations include new requirements for how organizations manage personal information and apply to fundraising, impact assessments, volunteer management, and demographic information about those beneficiaries supported by donor programs. Essentially, anything that involves an individual’s personally identifiable information (PII) is covered. But this is not just applicable to projects within the EU. Because research and impact data collection happens in the field via GDPR-covered organizations around the globe, the reach of the regulations is vast.
What about donor data?
According to an audit conducted by W8 Data, up to three quarters of the donor data held by charities will become unusable under GDPR’s requirements as of May 25, 2018.
“It’s unsurprising that re-permissioning campaigns are rocketing as charities are waking up to the realisation that much of their data will be useless come May 2018. However, what is crucial moving forward is that the opted in data is quality checked and well maintained, otherwise it risks becoming uncompliant and unusable. The fact that two thirds of organisations are currently failing to regularly refresh their data speaks volumes and under GDPR is something that is going to have to change.” – Dave Lee, Director of W8 Data
Ready or not, here it comes
Many of us are affected, but few are fully prepared. According to Osterman Research, 64 percent of organizations are not ready to comply with the requirements of the GDPR. This unpreparedness could be extremely costly. As of the May 25 implementation, regulators will have the power to levy punitive damages as high €20 million (or 4% of global turnover, whichever is greater) to organizations that fail to meet the specific data security requirements. According to Mike Palmer, executive vice-president and chief product officer at Veritas, “Firms around the world are deeply concerned about the impact that non-compliance will have on their bottom line.” And not-for-profit organizations should be concerned, too.
Let’s review the key elements of the legislation…
Once GDPR comes into effect, organizations must ensure that sensitive personal data is processed lawfully, transparently, and for a specific purpose. Moreover, once that specific purpose has been fulfilled and the data is no longer required, it must be disposed of and completely deleted.
For many NGOs or relief organizations, adhering to these new standards pose a set of unique challenges and requires a more holistic approach. Every aspect of an organization’s data-centric operation needs to be in compliance. The standards will apply to those in the field, the same way they apply to those in the office. Additionally, the regulations make no distinction between those individuals employed by a given organization and those who volunteer. Even an unpaid intern or volunteer must be trained, equipped, and prepared to protect personal and sensitive data if they gather or handle it on behalf of the organization, as part of their role.
Organizations are required to follow the “state of the art” and “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.” Similar to the 2013 HIPAA data breach that occurred when personal health data was left on the hard drive of a hospital photocopier, non-profit and NGO researchers must maintain data security during the entire program, from the mobile devices used to capture it, to server data encryption to store it, through usage for analysis and sharing. As the saying goes, you are only as secure as your weakest link. This risk includes situations that can occur when processing information that could lead to “physical, material, or non-material damage.”
And because the GDPR applies to all the data an organization holds, donor and marketing lists and other funding-related information must be collected, stored, and utilized in accordance with the regulations as well. To avoid fines, NGOs and relief organizations must put processes in place that ensure supporters and donors aren’t contacted improperly or erroneously once they’ve withdrawn consent or have objected to the organization’s use of their information. Many organizations are currently conducting comprehensive opt-in campaigns ahead of the looming deadline.
GDPR Glossary (internal processes)
- Controller – Organizations that collect personal data and determine how it will be processed are considered the Controller of that data and must comply with applicable data privacy legislation accordingly.
- Processor – A company/organization that helps a controller by “processing” data based on its instructions, but doesn’t decide what to do with data.
- Processing – Any operation or set of operations which is performed on personal data or on sets of personal data, by automated means or otherwise, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Privacy by Design and DPIA – The GDPR requires that data privacy be built in “by design” when new systems are developed. It also requires that a Data Privacy Impact Assessment (DPIA) be performed which systematically considers the potential impact that a project or initiative might have on the privacy of individuals. If potential privacy issues arise, the organization must mitigate them before the project is underway.
- Data Privacy Officer – Organizations that regularly perform large-scale monitoring of data subjects must have a Data Privacy Officer (DPO) to oversee compliance efforts (e.g., a Controller’s relationships with vendors who process and store personal data, vendors’ security practices, and notification of data subject requests). The GDPR’s new “one stop shop” provision allows organizations with offices in multiple EU countries to have a “lead supervisory authority” acting as a central point of enforcement to avoid inconsistent directions from multiple supervisory authorities.
- Contracts & Privacy Documentation – Controllers and Processors must review their Privacy Notices, Privacy Statements, and any internal data policies to ensure they meet the requirements under the GDPR. If a Controller engages third party vendors to process the personal data under their control, they will need to ensure their contracts with those Processors are updated to include the new, mandatory Processor provisions set out in Article 28 of the Regulation. Similarly, Processors should consider what changes they’ll need to make to their customer contracts to be GDPR-ready by May 2018.
- Transfer – Transferring data outside the EU should only be done if necessary. As defined by the GDPR, transfers of personal data to countries outside the EU (also referred to as “third countries”) may only take place if that country is deemed to have an “adequate” level of data protection. A current list of “approved countries” is available here but it is important to understand that any adequacy decision is subject to periodic review, taking into account relevant changes to usage within that country. If data is transferred outside approved countries, contracts that include binding rules regarding a corporate data protection code of conduct must be in place.
User opt-in consent is the “new normal.” Under the GDPR, consent is paramount and required. Individuals must give clear consent freely before their personal data can be collected. Additionally, data can only be used for the purpose under which it was collected. But this may not always be straightforward.
A 2017 discussion paper from World Vision highlights the nuance for those in the field. In the context of a humanitarian response, the psychological impact of a disaster or traumatic event certainly impacts a person’s ability to make data privacy decisions. In other examples, requesting personal information regarding religion, health status, etc. can also create vulnerabilities for unintended discrimination. Humanitarian professionals are learning that the practice of obtaining consent falls on a spectrum between informed and uninformed, and as a whole they are closer to uninformed consent than they would like to be.
The paper stresses answering the following fundamental types of ‘consent’ questions:
- Is consent to use the information freely given for a stated purpose?
- Is consent freely given to allow sharing of that information with others and for a stated purpose?
- Who is responsible to decide when and with whom to share the information?
- How much risk to the beneficiary exists, given the nature of the data collected (e.g., documentation of a characteristic that is potentially stigmatizing, illegal, or otherwise leads to significant problems for that individual should data security be breached)?
GDPR Glossary (consent)
- Consent – Whenever a data subject is about to submit their personal information, the data Controller (an organization) must make sure that he/she has given their consent, that it is “freely given, specific, informed and unambiguous,” with Controllers using “clear and plain” language. Controllers must provide evidence that their processes are compliant in each case.
- Objection – Consent is key but the flip-side is the ability to decline. When it comes to collected data, subjects have the right to object to their personal information being used for marketing or profiling. As mentioned above in relation to ICT4D, enumerators in the field must be trained to not only be completely transparent as to how personal data will be used, but also how to handle objections to participation in a survey.
- New Rights for Individuals – Data subjects have a “right to be forgotten” that requires Controllers to alert downstream recipients of deletion requests. Data subjects also have a “right to data portability” that allows them to demand a copy of their data in a common format. These requests must all be processed in a timely manner.
Accountability and Penalties
Any data loss must be reported to supervising authorities within 72 hours, and users and data subjects should be informed as soon as possible. While many consumers have become accustomed to receiving an email notification from a retailer when a data breach has put their credit card or other personal information at risk, notifying research subjects located in rural agricultural villages presents additional challenges. Time will tell how effective this communication will be, and how easily the process can be audited.
GDPR Glossary (accountability and penalties)
- Scope – While the current legislation, the 1995 EU Data Protection Directive, governs entities within the EU, the territorial scope of the GDPR is far wider, in that it will also apply to non-EU organizations who market their products to people in the EU or who monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.
- Accountability and Penalties – Controllers and Processors must be able to demonstrate their compliance with the GDPR to their local supervisory authority. In the case of a violation, Controllers and Processors who mishandle personal data or otherwise violate data subjects’ rights could incur fines of up to €20 million or 4% of their global annual revenue (whichever is greater).
- Reporting Breaches – Controllers must notify their country’s supervisory authority of a personal data breach within 72 hours of learning about it, unless the data was anonymized or encrypted. Breaches that are likely to bring harm to an individual – such as identity theft or breach of confidentiality – must also be reported to the individuals concerned.
For public and private sectors alike, when it comes to the GDPR, there’s a lot of information to keep straight. Once you know what GDPR is and what it means for the ICT4D community, you need to identify what it means for your specific organization’s staff, operations, and vendors—beyond those who deal directly with technology. With regulatory enforcement beginning on May 25, 2018, now is the time to get your organization prepared. Here are 10 tips for preparing for GDPR. Use them as a guide to begin your preparation and response plan.