Improving data practices from the inside out
How Oxfam GB brought creativity and purpose to preparing for the GDPR
Context
The Issue
Bringing organisational practices into compliance with the GDPR can be a daunting task–one that requires a significant investment of time and resources. Going beyond compliance to embracing the rights-respecting spirit of data protection also requires a change in attitude and beliefs.
The Role of the GDPR
At a minimum, the implementation of the GDPR could be seen as a question of compliance: how do we adhere to the set out requirements so as not to get fined? We spoke to Oxfam GB to learn how civil society groups are using the GDPR as an opportunity to pause, reflect and more deeply integrate the principles of data protection into their work, in a way that is rights-affirming and meaningful.
Key Takeaways
Oxfam GB staff went from viewing the GDPR as a regulatory change that was “scary” and burdensome, to one that aligned with their mission values—that was ultimately about protecting the data rights, dignity and safety of the people they served. Oxfam’s information security team was able to create an organizational culture shift through a combination of awareness-raising and technical capacity-building. They distributed the work across many “data protection representatives” and recognised the important role of context. While their strategies were resource-intensive, they provide a useful framework that other civil society groups could adapt.
Published February 25, 2020
The GDPR: friend and foe?
In the lead-up to the implementation of the GDPR, there was ample speculation around what impact the regulation would have on the nonprofit sector. The road to implementing changes seemed unclear to many non-profit organisations, who feared the high fines that could come with non-compliance and were stymied by the sometimes vague language of the text. Unlike for-profit entities who might have in-house expertise or the resources to bring in external counsel, non-profits often felt under-resourced to handle the legislation on their own. Especially for small-to-medium non-profits, or those whose work doesn’t focus on data or privacy, the implementation of the GDPR was an enigmatic, yet potentially threatening, event.
The legislation raised questions about external work for some organisations, around issues like the provision of direct support services to individuals and the maintenance of databases on communities or individuals. It also implicated the internal work central to nearly every nonprofit–keeping information on supporters, sending email newsletters, maintaining databases about fundraising and more. Other concerns expressed by non-profit organisations centred around access to resources, lack of consistent advice and the general sense that compliance to the GDPR would be unsustainable, particularly for smaller or less data protection-savvy organisations.
In our experience at The Engine Room, the GDPR gave us an opportunity to check in on our own practices and share where we were in terms of data protection. We created space within the organisation to ask questions, learn and, eventually, take action to continue improving our practices. We saw similar patterns in other organisations in the digital and data rights space, with DataKind sharing their own preparation plans (and hosting a book club!) and the Responsible Data community coming together to discuss what comes next.
Shifting internal perspectives on the GDPR
Larger, international non-profits with operations that involve the data of many people face different challenges—and opportunities—than smaller non-profits. Operating in various jurisdictions might mean adapting practices to each context, and deciding what to do when legislative practices demand different practices in different places. Compliance and buy-in can be harder to ensure with large, dispersed teams.
Oxfam GB, an international humanitarian organisation with a large, global reach has been addressing some of these challenges and, through tackling them, finding opportunities to deepen their commitment to a rights-respecting data culture. We spoke with James Eaton-Lee, Oxfam GB’s Head of Information Security, who also serves as their Data Protection Officer about how he and his colleagues are adapting to the GDPR. To Eaton-Lee and his team, the GDPR wasn’t just about operational changes but cultural ones. By implementing thoughtful process which aimed to raise internal awareness, designing new and context-appropriate practices, as well as nurturing internal advocates, Oxfam GB has taken the implementation of the GDPR as an opportunity for a meaningful cultural shift.
A year before the implementation of the GDPR, the legislation felt like a “scary regulatory change” that few people at Oxfam GB understood deeply. At the time, the organisation had a number of groups of staff–informal and formal–who were thinking about how to responsibly handle the data the organisation used. There were humanitarian teams, who thought about the risk(s) faced by program participants; fundraising teams, who knew about managing supporter data responsibly; and the legal team, which thought about data protection through the lens of compliance. The organisation also had worked on issues around responsible data in the past. In 2015, Oxfam GB published a Responsible Program Data Policy, which was supplemented by a toolkit full of guidance, learning tools, decision-making support and more.
Faced with these diverse perspectives on issues related to the GDPR, Eaton-Lee emphasised the importance of uniting them under deeply-held Oxfam GB values. “[The GDPR] is about people,” he said, continuing, “we must not lose sight of what ultimately matters–ensuring that we consider the impact to people when we use information about them – that we are accountable for how we plan our use of it, and do not use information in ways which could cause harm.” Establishing this perspective alleviated some degree of stress around compliance and united the various actors in a shared goal. It also showed that complying with the GDPR wasn’t a one-day activity, nor was it a clearly defined checklist to be fully completed. Instead, the implementation of the GDPR presented a chance to make ongoing shifts to reduce the risk of harm to the individuals Oxfam GB serves around the world.
Designing practices for diverse people and contexts
The focus on the GDPR as a chance to reaffirm the rights of Oxfam GB’s program participants and supporters is something that Eaton-Lee and his team threaded through a large variety of activities. They recognised early on that bringing about a shift in culture, changing practices and ensuring the organisation was adhering to the GDPR would be far from simple.
In the first phase of preparing Oxfam GB staff for the advent of the GDPR, they worked with Oxfam GB’s Internal Communications team on building awareness of the legislation, sharing what it was and why it mattered–months (if not years) in advance. To make the lofty sounding legislation feel more immediate, Oxfam’s Communications team created a physical installation in their Oxford, UK office. People would enter the atrium–outfitted to look like a living room –and be asked to look for sensitive data (like a paper list of patient names, for example) that was hidden around the space. As people found data, they would be guided through how it was related back to the data subject’s rights, dignity and safety. This served as a fun and creative way of helping people who otherwise might have seen ‘data’ as something abstract in a more concrete way. By setting it up in the entrance to their office, it caught people’s attention in a compelling way–unlike most webinars or presentations.
Later on, as they approached the May 25th implementation date, Eaton-Lee shifted his attention to making sure that teams and individuals knew what they should actually do about the impending legislation change. Each major division within Oxfam GB participated in exercises to understand how the data they worked with was implicated in the GDPR. To address the variations in geography, he and his team held webinars with regional offices, addressing other contextual concerns as they arose. All told, Eaton-Lee estimates that he and his team presented over 100 different versions of their preparation presentations and exercises, adapting each for differences in team and geographical contexts.
Figuring out what individuals and teams had to actually do in response to the GDPR also meant tackling very granular questions like: “Can we still do impact evaluation if we cannot share data across borders, including into and out of the EU? What if we need to use data our partners have collected? How about working with consultants on impact evaluations? How can we use photographic and video content? How do we procure goods and services from suppliers?”
Nurturing internal advocates
Carrying out these diverse trainings, presentations and conversations was not a job for just one team or one person, nor was the subtler work of shifting attitudes around the GDPR from trepidation to excitement (or at least understanding). Instead, Eaton-Lee and his team sought out ways to create networks of individuals, across teams and geographies, who could act as GDPR advocates and point-people.
Equipped with the knowledge that most data protection-related questions tended to get delegated to the same people–administrative staff, compliance teams or IT staff–Eaton-Lee wanted to tap a different subset of individuals. He and his colleagues sought out individuals who may not have worked extensively with data and compliance questions in the past, but who had an interest in learning more and the networks by which to share their learnings.
To do so, Oxfam GB division directors were asked to identify members on their team who might be suitable for the task and nominate them to become ‘Data Protection (DP) Representatives.’ These representatives were not only key actors in the process of compliance, but also key advocates for spreading the importance of data protection to Oxfam GB’s mission. Each DP Representative was given an outline of their role and responsibilities, to ensure clarity, and a process was created for answering any questions that DP Representatives faced (using a dedicated ticketing system and email address). DP representatives get the added bonus of learning more about an area–data protection–that will only become more important in years to come.
At the same time, more informal groups were created to continue sharing knowledge among folks who might not have an official connection to data protection work but who were enthusiastic about it. One of these is Oxfam GB’s Data Rights group which, though it does not reach everyone, creates space for eager staff to bring thorny topics for discussion and share back learnings with their team members.
What’s next?
In reflecting on the process so far, Eaton-Lee identified many other things that are still yet to be tackled, from niche legal compliance items, to closely examining data sharing with donors, to growing the conversation outside of Europe. He also mentioned how resource-intensive Oxfam GB’s approach was and highlighted that other organisations might need a more lightweight process (particularly if they are smaller in size and scope).
While there are still many challenges to adapting to the changes brought by the GDPR’s implementation, the case of Oxfam GB shows us how the GDPR presents many opportunities to create a more privacy-centric culture, too.