Everything you need to know about the EU's new privacy rules

BRUSSELS — One month from now, the European Union’s tough new data regulations will come into force, and there has been much talk about what this means for organizations globally. When it comes to aid organizations’ preparations for the General Data Protection Regulation, or GDPR, tech consultant Siobhan Green said the reaction has been either that “the sky is falling” or that “it doesn’t affect us.” The truth, she said, lies mostly in between. The regulation updates the EU’s existing data protection framework, which many organizations are already familiar with, but it includes significant changes, such as greater fines, binding obligations and broader applications — including for organizations that may not be based in Europe. There are a range of data protection guidelines already available for the aid sector, such as the Handbook on Data Protection in Humanitarian Action from the International Committee of the Red Cross, prepared with the Brussels Privacy Hub. Green’s employer, Sonjara, was recently contracted by the United States Agency for International Development to prepare its Responsible Data Practice Guidelines. When crafting the USAID guidelines, which are set to be released “in the coming weeks” according to a spokesperson, Green and her team recognized the new EU regulation as the most stringent data protection requirements in the world. As she traveled to Kenya and Nigeria to test how principles on consent, storage, processing, deletion, and anonymization work in practice, Green encountered many aid organizations who felt the GDPR is too onerous. “We very quickly got a lot of people saying, ‘this is too expensive, if we do this, we have to go back to paper and pen or we can’t do anything,’” she told Devex. In contrast, the USAID guide is voluntary and sets out to provide a baseline standard on how to manage personal information. With the EU regulation becoming enforceable on May 25, organizations around the world are grappling with how to prepare and avoid potential fines of up to 20 million euros ($24.6 million), or 4 percent of annual turnover, whichever is higher. Devex spoke with Green, as well as Michael Duggan, chief information officer at Oxfam International, and Clare Sullivan, a legal adviser for the USAID guidelines, on what the new regulation means for NGOs around the world. The conversations have been edited for length and clarity. Does EU data protection law affect my organization? Sullivan: If you are processing the personal data of an EU data subject, then your organization falls under the GDPR. An EU data subject is defined in the law as someone who is resident in the EU. Theoretically, you can have one or two people working from home anywhere in the world, and as soon as you start processing the data of an EU subject and you keep a record like their address or some sort of health information, all of that gets caught up in the regulation. So it’s pretty easy to be caught by the regulation. There are exemptions to the normal requirement to get a data subject’s consent to process their data if this is collected for certain legitimate interests of the data controller or the broader public interest. But those categories are really strictly enforced. Duggan: We are being very conservative and our approach is that if any personal data is stored in the EU, regardless of where it comes from, then the full GDPR requirements will apply to it. We want to comply with the legislation in the country where we are operating. Other countries have their own requirements, and the African Union for example has stated they want to see data protection legislation introduced in African countries. What’s changing on May 25? Sullivan: Under the previous directive, unless you were actually operating in the EU and you had an office there, basically the European data protection regulation didn’t apply to you. Now it applies worldwide. So any organization that is processing the personal data of an EU data subject falls within the ambit of the regulation. That’s the part that’s got everybody worried. This is also a regulation, not a directive, so it’s legally binding directly as law in EU member nations. Duggan: It is important to note that the GDPR is an update of existing data protection legislation, and most of the core rights have already been in place for some time. We have a task force across all of Oxfam’s affiliates to drive compliance with the GDPR, but we have a wider data protection and privacy agenda as well, given the amount of personally identifiable information that we collect inside and outside the EU. We are changing our business processes on how we acquire personally identifiable information, and then it’s about lifecycle policies, up to destroying it. Are beneficiaries of an EU-funded aid program in Nigeria covered under the GDPR, for example? Duggan: Like a lot of legislation, until it’s tested you won’t have an absolute answer. One of the challenges with cloud systems is trying to understand where the data is resident. Our view is that if the data is resident within the EU we will treat it the same way as any other GDPR data sets will be treated. Green: It’s still unclear whether having one EU data subject in the data set will require the whole dataset to be compliant with the GDPR or whether that’s considered too high a standard. So let’s say you are running an NGO in Nigeria and you are implementing electronic medical records, and you have a citizen of the EU in your dataset and that’s health information, so that’s sensitive information. Would all of that data need to be compliant with the GDPR? For now, we don’t have a clear answer. For example, the United Nations wants to have a worldwide platform for women to find buyers for their goods. Those buyers could be anywhere in the world, including in Europe. The fact that you have this non-geographically bounded piece in the GDPR is making everyone ask whether this affects them or not. What about migrants arriving in Greece? Duggan: Yes, they would fall under the GDPR. There was a huge shift in the sector when we had our first beneficiaries in the EU, particularly migrants coming through Greece. Now we’re much more cognizant of the fact that the GDPR is becoming the base standard that we need to apply across the board. The context can be difficult when you’re registering beneficiaries during a crisis. You want to do that as quickly and effectively as possible, while still respecting the data rights of the beneficiary. Sullivan: If the migrants are present in the EU then yes, they can be covered by the regulation. But the GDPR doesn’t catch people who are travelling in and out. It doesn’t apply to travelers. Is the consent of data subjects enough to protect you? “You cannot give informed consent to an organization to mismanage your data.” --— Siobhan Green, tech consultant Green: Not necessarily. You have to prove they understood the risks and usage of their data, so it was explained using clear language; that you only used the data under the terms of consent; and that you’re able to reply to questions or requests in a timely fashion, including removing their information if necessary — or, if that’s not possible, that it was stated in the informed consent. You cannot give informed consent to an organization to mismanage your data. Sullivan: Other regulations such as the proposed e-Privacy Regulation may also apply, irrespective of data subject consent. How does this affect fundraising? Duggan: Most of the core data protection rights have been in place prior to the GDPR and fundraisers have been familiar with permission-based fundraising. The GDPR tightens some of these regulations but in some ways makes it easier by providing consistency across markets in Europe. You have always needed to show that you have a legitimate interest in processing the data and demonstrate that you gave notice when acquiring it. However, under current legislation permission could be “implicit” — for example, it is obvious that we need your details to process the transaction. GDPR makes it clear that you must seek explicit permission from the individual for consent purposes and that processes and systems must capture and flag what permission the individual gave. Best practice has been to seek these but many organizations who did not do that originally now have a task to go back and explicitly ask for that permission. Will this mean collecting less data to begin with, or being more targeted in what you collect? Green: Yes: Collect only what you need (and maybe reuse what others have collected already); manage your data more proactively; and value your data more. How does the right to be forgotten — the right to have your data deleted — apply here? Duggan: The right to be forgotten is an interesting but often misunderstood component of the GDPR regulation. While it gives the individual the right to be forgotten, that applies only when the organization no longer has a legitimate need to process that data. In effect, it allows individuals to address bad data housekeeping by the organization. Typically, the reasons data must be held are to do with taxation or banking obligations. With effective data lifecycle policies that remove personal information when it is no longer required for processing, organizations should not be in a position of having to execute a right to be forgotten request. Will some organizations be able to circumvent the regulation by changing where they store their data? Green: Possibly, but as the GDPR is becoming the gold standard of data protection, we are seeing more countries, such as Sierra Leone, grabbing GDPR language and putting it into their data protection legislation. EU-based donors are also starting to require it in contract language with all their partners. Finally, there is a question of ethics — shouldn’t the INGO community be leading the way in data protection for beneficiaries? Sullivan: Data processing is widely defined in the GDPR to include virtually all aspects of data handling including, for example, collection, transmission, even deletion. What are the main data protection challenges facing NGOs? “You can have the best systems in the world, but you need to make sure that people are engaged and buy in to their use.” --— Michael Duggan, chief information officer at Oxfam International Duggan: A real challenge for most NGOs, and in fact most organizations, is that our software is made in America and is not privacy-by-design. We’re having to retrofit a lot of processes on to systems that struggle with that. To give a very practical example: If we get a subject access request, i.e. someone asks to see what data we hold about them, that person’s personal information can be distributed over many systems. Some systems are quite structured, so it’s reasonably easy to find, but others are quite unstructured, meaning there is an element of manual work and effort to find it. Part of Oxfam’s procurement now, for any future IT system, requires us to have that compliance functionality built in. That’s the technical side. The other side is that you can have the best systems in the world, but you need to make sure that people are engaged and buy in to their use. We’re developing an in-house training program and all of our European staff will have sat through this by May. After May, all of our staff worldwide will complete this training. Green: There aren’t enough people who know the legal aspects, the technical aspects, and have the capacity, because a lot of this stuff is about good data hygiene throughout your entire data processing cycle. It’s not good enough to have a server that has everything encrypted if somebody is downloading copies of that data, sticking it in their pocket and then losing it on the subway; or emailing it out using their personal email account and saving it in Google Drive. What are the risks, in development work, if data protection is not done properly? Green: Some populations lie about their identity to protect their privacy, especially people who are HIV positive, men who have sex with men, sex workers, etc. This causes a huge problem with continuity of care, because they might be visiting multiple health centers and there is no way to link their records together unless the individual says they were at the other center. One — hopefully apocryphal — story we heard was that an NGO was using fingerprints to connect people’s records. This was all well and good except this was in Uganda, and the local police found out that there was a database of fingerprints of gay people, and raided the NGO and confiscated the database. Now, here’s the thing: It doesn’t even have to be true. We heard this in Kenya from people who work with at-risk populations who said that as soon as that rumor got out, all of those high-risk populations started saying, “we’re not giving you our fingerprints.” So this is one of the reasons NGOs need to be thinking beyond the legal compliance. What resources are available to help NGOs improve their data handling? “It would be nice to get the word out, because people are going to start reinventing the wheel and we’ve already done the work.” --— Clare Sullivan, a legal adviser for the USAID guidelines Duggan: One of the things we are proudest of is the Oxfam Responsible Data Management Training pack, which is publicly available. It’s a simple, easy-to-use toolkit to help train people in how to use and capture personal information. We are also members of NetHope, which is an alliance of the 52 largest NGOs in the world. And we have our own working group within NetHope to drive standards around data protection and how we can all be compliant as efficiently and effectively as possible. We use that vehicle to talk to the technology sector about the challenges that we have and where we need help. That’s been very effective. Sullivan: I’ve done a lot of work over the past year with USAID, and they are about to publish their Responsible Data Handling Guidelines. We looked at regulations around the world and developed data handling standards for development professionals in the field. We’ve heard, much to our frustration, that Germany has released an open call at national level for new data handling guidelines, and of course we’ve already done it, but they haven’t been released yet. It would be nice to get the word out, because people are going to start reinventing the wheel and we’ve already done the work.