We Are All Responsible Data Sinners. Will GDPR Make Us Repent?

GDPR data securityhttps://i0.wp.com/www.ictworks.org/wp-content/uploads/2018/04/gdpr-data-... 200w" sizes=" 640px) 100vw, 640px" data-recalc-dims="1" />
The General Data Protection Regulation is coming on May 25th and you should be worried. If you operate in the EU or focus on EU-based clients, then the sweeping new data protection law will apply to you, with multi-million dollar fines per violation.
It mandates that organizations will need to be clear and concise about the collection and use of personal data like full name, home address, location data, and IP address of our EU constituents.
Moreover, constituents will gain the right to access data organizations store about them, the right to correct inaccurate information, and the right to limit the use of decisions made by algorithms, among others.
GDPR Doesn’t Apply to Everyone
Now, there is an out. As we learned at the GDPR Technology Salon, the new law is actually pretty narrow in focus.
Sign up now to get invited to the next Technology Salon!
It only applies to you if you aim for EU clients or have an EU presence. For example, it applies only to the fundraising appeal targeted at people living in EU-member countries, or to the data the European branch of your organization collects.
If you are a US-based organization, focused on serving clients in Sub-Saharan Africa, South Asia, or Latin America, and do not have an EU presence, you do not need to follow GDPR, even if there are EU citizens or dual nationals in your global constituencies.
However, should you really celebrate escaping the best data privacy law of the past 20 years?
GDPR is Responsible Data Best Practice
GDPR really isn’t a new law, and it doesn’t really ask for an new actions. Anyone who has really thought about online privacy and and data security will see many best practices enshrined in the law, and celebrate the EU coming to our digital rescue (again!).
You are already implementing these responsible data practices already, right?

We Are Not Responsible Data Actors – Yet
Actually, you are probably not implementing any of those processes.
As we discussed in the Salon, donors and international development organizations already underfund normal IT services, and data security is no exception. All these practices take time, which is money, and need to be applied to dozens of programs in a myriad of countries, where we may already be skirting data laws.
For example, most of us in this field would say we are collecting data of a country’s citizens on behalf of their government, but do we truly hand over all our data to governments? Or even better, build on their existing systems to begin with? And what if the government’s laws conflict with the donor’s contractual requirements (like say USAID’s ADS 579 on Open Data)?
We are already data security sinners. Will GDPR really make us repent?
GDPR: The Catalyst for Change!
GDPR is already having great influence in the countries where we work. South Africa has the PoPI Act, the Philippines has its own data protection laws, and more countries are considering implementing similar efforts. They sure aren’t following the USA’s lead in net neutrality, the CLOUD Act, FOSTA-SESTA, or SOPA.
GDPR should also influence us all to consider every aspect of how we interact with our digital constituencies. Take for example the concepts of consent, delete, and breach in international development.

  • How can we get truly informed consent when working with marginalized populations? How do you explain cloud servers and deanonymization to a poor farmer?
  • Could we actually delete someone’s data if they asked? Do we even know where their data is and who has access to it now, or worse, the day after the project ends?
  • What protocols do we follow if we have a data breach? How would we notify those with compromised data? What if it’s national data, or from those offline?

Each of these questions should lead us all into long, thoughtful conversations with our program leads, IT staff, donors, constituents, and other stakeholders about the real-world tradeoffs. Every organization should fear its own Cambridge Analytica-Facebook moment – especially since doing so is counter to the spirit, if not the actual law of GDPR.
Want more GDPR resources? Digital Impact’s GDPR Guide is an excellent starting place for organizations concerned about their data governance.
The post We Are All Responsible Data Sinners. Will GDPR Make Us Repent? appeared first on ICTworks.