What Nonprofits Need to Know About GDPR
One of the biggest buzz words going around for the past few months is GDPR. The General Data Protection Regulation (GDPR) is a new privacy law coming out of the European Union (EU). It applies to all companies within the EU, ones that are doing business within the EU or ones doing business with EU residents. Looking at that definition, it impacts most companies in the world who collect any data on the internet.
GDPR has 99 Articles that talks about what organizations should do to protect the data entrusted to them by the individual (aka data subject). Many are very detailed. However, there are a few key elements of the regulation that businesses need to focus on.
- GDPR has a wide reach: It applies to an organization that has any data from any EU resident. This does not mean they are an EU citizen, just an EU resident.
- GDPR widens the definition of what data is PII: Personally Identifiable Information (PII) is expanded under GDPR to include items such as IP address, name, email, phone number, address, online user ID, location data, biometric data, genetic data, economic data, cultural data, and more.
- GDPR tightens rules for gaining consent, which means businesses need to adjust privacy statements and make clear to consumers what type of data they collect and how.
- GDPR has defined a new role within businesses, the Data Protection Officer (DPO), and a new risk management process: These fall on the more technical side of the regulation. With these changes, it is important to note not all companies will need a DPO. However, if a company appoints one, the DPO is responsible for enforcement of the GDPR regulation throughout the organization. On the risk side, a Privacy Impact Assessment (PIA) will need to be conducted to determine the type of data that is collected and how protected it is.
- Common breach notification: GDPR specifies a breach notification of 72 hours (at most), expanding the scope of notification for a business.
- GDPR speaks of the concept of Privacy By Design: This means, all systems moving forward should not only look at the general security tenets of Confidentiality, Integrity and Availability, but should add Privacy when building or modifying systems.
- The right to be forgotten: I see this as the biggest hurdle for any organization. Once data is collected from a prospective client, the data is put in multiple systems and usually on multiple lists. If a person contacts you and wants to be removed from a businesses records, they must be able to prove that ALL of their data is removed from EVERY system within the organization.
GDPR is a big thing for any business and is something that BoardEffect is taking very seriously. The regulation has teeth and a long enforcement reach at this time. There are several departments within BoardEffect actively working on this over the next few months (GDPR goes into effect on 25 May 2018). We will be working to make sure all data is protected and systems have the ability to comply with the regulation.
Here is a infographic from ComputerWeekly.com & TechTarget that will shed more light.