Last Wednesday, we gathered experts and members of the Responsible Data community in a community call to discuss the implications and challenges of the General Data Protection Regulation (GDPR), the European Union’s forthcoming regulation on data protection. The regulation was designed to give control over personal data back to citizens and residents, and to create a uniform data protection law across member countries.
Given the complexity of the GDPR — and its implementation date only six months away (25 May 2018) — we were happy to find an opportunity for the community to share strategies, tips and tricks on how to prepare for the changes and challenges the regulation will bring.
We were joined by Pat Walshe of Privacy Matters, Gloria Gonzalez Fuster of the Vrije Universiteit Brussel, and Sean McDonald of FrontlineSMS, who all shared compelling insights on the GDPR itself, as well as their experiences preparing for its implementation. We were excited to hear many intriguing questions from a very engaged audience, and want to thank the speakers for taking the time to address all of them.
If you’re interested in reading the notes from the community call, you can do so in this Etherpad, which will stay live. Below, we’ve gathered insights from the community call that introduce the GDPR, as well as a short list of resources for practitioners.
1) Responsibility and rights are foundational to the GDPR
The GDPR is a rights-based framework, which is a way of looking at data that the Responsible Data community has long advocated for. But now, the rights of people reflected in the data aren’t just the right to privacy, but also the right to be informed, the right to object, the right to erasure, and more.
The GDPR makes responsibility the instrumental vehicle for good governance and accountability and for ensuring the rights of data subjects are respected. Under the GDPR, anyone who processes data will be responsible for and must be able to demonstrate compliance with transparent data processing.
2) The scope of the GDPR is broad, going beyond Europe
While the GDPR is a European regulation, its effects will be felt well beyond the European borders. The regulation will apply to data of European citizens (irrespective of their location) and residents, and data that is processed in Europe will also fall within the regulation’s scope.
Therefore, the regulation creates an excellent opportunity to practice data protection by design and by default.
3) The GDPR broadens the definition of ‘personal data’
The GDPR significantly broadens the definition of personal data to include information such as internet browser cookies, and genetic or sociological information – in other words, any data that can be singled out to uniquely identify an individual. Merely anonymizing data will no longer be enough: the GDPR pushes us to think more critically about sensitive data.
4) Prepare for data audits now
Under the GDPR, you should keep a record of all data processing activities done by you and people you employ to process data on your behalf (an example of such a service would be Mailchimp). And interestingly, ‘data processing’ includes simply holding data.
5) The GDPR strengthens the rights of data subjects
The GDPR will significantly extend and strengthen the rights of data subjects. Under the regulation, individuals will have the right to know:
- What data is held about them and how they can request this data (with the expectation that they will receive it within a set time period)
- Who sees the data held on them
- How their data is being used and what decisions may be made with it
As intimidating as it may look, the GDPR does provide us all with an opportunity to think carefully about the data we gather and hold and about the rights of the people reflected in that data. And as our experts said, engaging as a community and learning together about compliance goes a long way towards showing GDPR regulators that we’re making steps in the right direction.
6) For organisations, this is operational
The GDPR will affect not just teams working on tech and data at an organisation, but the operations of the entire organisation itself. In many ways, as our experts identified, the GDPR fundamentally changes the relationship we all have when collecting data. Instead of data collection being a one-off process, organisations will have to set up and maintain open lines of communication with the people from whom they are collecting data. Organisations will need to be ready to update users on what their data is being used for, share copies of the data, and request consent (again) if the purpose of their data collection changes. In many ways, this pushes us towards better practice – thinking more intentionally about why we collect data, and using it for a pre-designated purpose.
Below, we’ve compiled resources that were shared during the call. We welcome more resources from members of the community. Feel free to share these in a comment, on the Responsible Data mailing list, or on Twitter, using #responsibledata.
Resources on the GDPR
- The General Data Protection Regulation
- ‘Handbook on Data Protection in Humanitarian Action,’ by the International Committee of the Red Cross and the Brussels Privacy Hub
- ‘Data Innovation Risk Assessment Tool,’ by UN Global pulse
- ‘Top 10 Operational Impacts of the GDPR,’ by IAPP
- ‘Global Data Privacy Laws 2017: 120 National Data Privacy Laws, Including Indonesia and Turkey,’ by Graham Greenleaf
- ‘Balancing Globalisation’s Benefits and Commitments: Accession to Data Protection Convention 108 by Countries Outside Europe,’ by Graham Greenleaf
- ‘Data Law’s Radioactive Decay,’ by Sean McDonald;
- ‘Do no harm: A taxonomy of the challenges of humanitarian experimentation,’ by Kristin Bergtora Sandvik, Katja Lindskov Jacobsen and Sean Martin McDonald
- ‘Group Privacy: The Next Generation of Privacy Problems,’ by Linnet Taylor
- ‘Mapping and Comparing Responsible Data Approaches,’ by GovLab