Looking back at the GDPR community call and sharing resources

/ November 28, 2017

Last Wednesday, we gathered experts and members of the Responsible Data community in a community call to discuss the implications and challenges of the General Data Protection Regulation (GDPR), the European Union’s forthcoming regulation on data protection. The regulation was designed to give control over personal data back to citizens and residents, and to create a uniform data protection law across member countries.

Given the complexity of the GDPR — and its implementation date only six months away (25 May 2018) — we were happy to find an opportunity for the community to share strategies, tips and tricks on how to prepare for the changes and challenges the regulation will bring.

We were joined by Pat Walshe of Privacy Matters, Gloria Gonzalez Fuster of the Vrije Universiteit Brussel, and Sean McDonald of FrontlineSMS, who all shared compelling insights on the GDPR itself, as well as their experiences preparing for its implementation. We were excited to hear many intriguing questions from a very engaged audience, and want to thank the speakers for taking the time to address all of them.

If you’re interested in reading the notes from the community call, you can do so in this Etherpad, which will stay live. Below, we’ve gathered insights from the community call that introduce the GDPR, as well as a short list of resources for practitioners.

1) Responsibility and rights are foundational to the GDPR

The GDPR is a rights-based framework, which is a way of looking at data that the Responsible Data community has long advocated for. But now, the rights of people reflected in the data aren’t just the right to privacy, but also the right to be informed, the right to object, the right to erasure, and more.

The GDPR makes responsibility the instrumental vehicle for good governance and accountability and for ensuring the rights of data subjects are respected. Under the GDPR, anyone who processes data will be responsible for and must be able to demonstrate compliance with transparent data processing.

2) The scope of the GDPR is broad, going beyond Europe

While the GDPR is a European regulation, its effects will be felt well beyond the European borders. The regulation will apply to data of European citizens (irrespective of their location) and residents, and data that is processed in Europe will also fall within the regulation’s scope.

Therefore, the regulation creates an excellent opportunity to practice data protection by design and by default.

3) The GDPR broadens the definition of ‘personal data’

The GDPR significantly broadens the definition of personal data to include information such as internet browser cookies, and genetic or sociological information – in other words, any data that can be singled out to uniquely identify an individual. Merely anonymizing data will no longer be enough: the GDPR pushes us to think more critically about sensitive data.

4) Prepare for data audits now

Under the GDPR, you should keep a record of all data processing activities done by you and people you employ to process data on your behalf (an example of such a service would be Mailchimp). And interestingly, ‘data processing’ includes simply holding data.

5) The GDPR strengthens the rights of data subjects

The GDPR will significantly extend and strengthen the rights of data subjects. Under the regulation, individuals will have the right to know:

  • What data is held about them and how they can request this data (with the expectation that they will receive it within a set time period)
  • Who sees the data held on them
  • How their data is being used and what decisions may be made with it

As intimidating as it may look, the GDPR does provide us all with an opportunity to think carefully about the data we gather and hold and about the rights of the people reflected in that data. And as our experts said, engaging as a community and learning together about compliance goes a long way towards showing GDPR regulators that we’re making steps in the right direction.

6) For organisations, this is operational

The GDPR will affect not just teams working on tech and data at an organisation, but the operations of the entire organisation itself. In many ways, as our experts identified, the GDPR fundamentally changes the relationship we all have when collecting data. Instead of data collection being a one-off process, organisations will have to set up and maintain open lines of communication with the people from whom they are collecting data. Organisations will need to be ready to update users on what their data is being used for, share copies of the data, and request consent (again) if the purpose of their data collection changes. In many ways, this pushes us towards better practice – thinking more intentionally about why we collect data, and using it for a pre-designated purpose.

Below, we’ve compiled resources that were shared during the call. We welcome more resources from members of the community. Feel free to share these in a comment, on the Responsible Data mailing list, or on Twitter, using #responsibledata.

Resources on the GDPR

About the contributor

Paola is a Belgian-Peruvian historian, writer and creative coder. Her broad range of interests motivated her to pursue studies in the history of solidarity, logic, and digital humanities. Prior to joining The Engine Room, she worked as journalist, as a research assistant at the University College of London, and as a UX designer at Amnesty International. She’s always up for a chat about archives, creative coding, and NBA trivia.

See Paola's Articles

Leave a Reply

Related /

/ May 17, 2019

From Consensus, to Calls to Action: Insights and Challenges From #5daysofdata

/ May 17, 2018

Why accessibility matters for responsible data: resources & readings

/ January 24, 2018

RD 101: Responsible Data Principles