May 25, 2018; Brookings Institution
As of Friday, May 25th, the EU’s General Data Protection Regulations are in effect—and, if you’ve opened your email inbox within the last month, you know that many companies are updating their privacy policies to be compliant.
GDPR is a new set of regulations that require organizations to protect the personal data of EU citizens if that data is provided during an interaction within an EU member state. The regulation is the same across all 28 states.
GDPR replaces an older data protection law from 1995, and the biggest change to the law is the concept of extraterritoriality: it applies to all organizations that process personal data of European residents, whether or not they are physically located in Europe. The other changes are kept purposefully loose—while they require a “reasonable” set of protections for personal data, the definition of reasonableness isn’t provided, and may be left to European regulatory agencies.
What Changes Does GDPR Create?
GDPR is intended to create protections for personal data, including identity information, web data (including location and IP address), health and biometric data, racial or ethnic data, political opinions, and sexual orientation. Key changes will include:
- Data processors will be required to notify customers “without undue delay” after becoming aware of a data breach.
- Customers will have a right to confirm whether their data is being processed, where, and for what purpose, and will be able to request a copy of their personal data free of charge.
- The “right to be forgotten,” previously established through court hearings, is now written into the regulations. Customers may request that data controllers erase their personal data at any time. The rules do allow controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests, opening questions into whether individuals can erase their names from, for example, crime records.
- GDPR introduces the idea of data portability, the right for a customer to share their data between controllers in a commonly used format.
- A “privacy by design” imperative calls for the inclusion of data protection from the onset of designing collection systems, basically allowing for fines of companies who ignore data protection until the completion of a new system.
Does Your Nonprofit Need to Comply?
Companies with over 250 employees are required to comply if they deal in the data of Europeans; the employee limit is lower for data processors who store data that is “likely to result in a risk to the rights and freedoms of data subjects.” Nonprofits collecting international donations could be affected, but small local nonprofits aren’t likely to be. As Ona Alston Dosunmu and Christie Yang wrote for the Brookings Institution last week, “nonprofits probably weren’t top of mind for European regulators.” The regulations are primarily aimed at data-heavy industries like finance and healthcare, and most EU countries don’t yet have enforcement for GDPR in place.
However, GDPR violations can result in heavy fines, and nobody wants to be the first test case. In addition, some of the GDPR regulations make good sense: Notifying customers immediately post-breach is good business; the capability to provide data-processes confirmation increases public trust.
Does your organization need to comply with the new EU regulations? If you operate primarily in the United States, probably not. But should you? If you’re into best practices for data collection, it’s not a bad idea.—Lauren Karch
