G-D-P-R are four letters you may have heard frequently when discussing your organization’s data compliance and security. This post provides an overview of key European Union (EU) General Data Protection Regulation (GDPR) principles on the protection of personal data. For specific GDPR compliance requirements and questions, please seek advice from your organization’s legal counsel.
General Data Protection Regulation (GDPR), is Europe’s (EU) data privacy and security law enacted in May 2018, that sets out requirements for how organizations, operating in the EU, handle personal data with one set of data protection rules. GDPR not only applies to organizations established in the EU that process personal data, but also to any organizations established outside the EU if they target individuals residing in the EU. Violations of the GDPR can result in massive fines...Just ask Google or Marriott.
GDPR applies to personal data, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
What is considered Personally Identifiable Information (PII) under GDPR?
Names, government Issued IDs, social security number, contact information (email, phone, physical address), online information (social media handle), geolocation, birthdate.
Health, financial, travel data including medical record information and account numbers.
Biometric data such as photos, documents, scans
Additional data stored on systems
Below highlight GDPR key principles:
Consent: The individual has given clear consent for the organization to process their personal data for a specific reason. It must be easy to withdraw consent, as it is to give it. NOTE: some countries have additional privacy and data laws. This is a general background on GDPR and not fully inclusive of all possible scenarios you may encounter. Please speak with your own counsel for specific rules you need to follow.
Freely Given. Consent must be "freely given”. The organization should not require any constituent to consent to marketing in order to complete the transaction (i.e. event registration or donation).
Informed. The individual knows the organization’s identity, what data processing activities the organization intends to conduct, the purpose of the data processing, and that the individual can withdraw their consent at any time. The language must be clear and simple to understand.
Unambiguous. Clear, affirmative consent. The individual must consent by doing or saying something. For example, on a web page, the individual is required to click a checkbox indicating they understand and accept the organization’s proposed processing of his or her personal data.
Revocation and Right to Object. Individuals must be able to revoke consent at any time.
Right to Access: Individuals have the right to obtain a copy of their personal data, as well as supplementary information.
Confirmation of personal use
An individual can make a subject access request (SAR) verbally or in writing for a free electronic copy of data.
Right to be forgotten: When data is no longer relevant to its original purpose, data subjects can have the data controller erase their personal data and cease its dissemination. Individuals can request as well that the processing of their data “suspended” on a temporary basis
You are required to delete data after it is no longer needed. The organization to establish timelines to erase or view the data stored.
Breach Notification: In the event of a data breach, data processors have to notify their controllers and constituents of any risk within 72 hours.
Data Portability: Allows individuals to obtain and reuse their personal data for their own purposes by transferring it across different IT environments.
When transferring data from one system to another, data transfer in a commonly used open format (e.g. XML, JSON, CSV, etc.). When selecting a data format, the organization should consider how this format would impact or hinder the individual’s right to re-use the data. For instance, a PDF version of records may not be sufficient to ensure that personal data is easily re-used.
Privacy by Design: The inclusion of data protection from the onset of designing systems, implementing appropriate technical and infrastructural measures.
Simply put this means data protection through technology design.
There are GDPR distinct responsibilities of the software platform and software user:
The software platform to be able to facilitate the request of the constituent. The data processing functionality is already integrated in the software/technology.
It is the responsibility fo the user of the software (i.e. Nonprofit Organization) to interpret the law.
While GDPR is an EU regulation, it also builds trust and confidence with donors, providing transparency on data collection and the use of personal data. If you’d like help setting up GDPR within Blackbaud CRM™ please contact us!