Data Protection Stories  , Data Protection Stories, Overview

Data protection reflection stories: an overview

Highlighting how civil society can use policies like the GDPR to strengthen their work


In the lead-up to the implementation of the EU’s General Data Protection Regulation (GDPR) in May 2018, small and large organisations alike were abuzz with speculation as to how it would affect them. A much-awaited legislation, the GDPR is a regulation that harmonises and strengthens data protection laws across EU member states. In the year since it went into effect, it is clear that complying with the GDPR has presented a challenge for civil society but that many of the warnings about endless fines for civil society organisations haven’t come to pass. 

Through conversations with responsible data community members and colleagues, we heard much excitement around the GDPR. Though few, if any, would argue it is perfect, the GDPR represents a step forward in concretising legal and regulatory mechanisms to enforce responsible data practices. Given how strongly these concepts align with many civil society missions, we asked ourselves, “How can the GDPR be used to support the work of civil society?” The stories that follow are meant to serve as an exploration of this question, shedding light on how the GDPR — and similar data protection legislation — presents an opportunity for civil society to not only examine their own data practices, but hold others to account.

We were able to carry out this project with the support of the Open Society Foundations and hope that the stories can serve as inspirations for reflection, learning and the development of new ways of leveraging data protection legislation.


Finding reflection stories

In early 2019, we announced a call on The Engine Room’s blog, looking for positive stories from civil society around how they had used the GDPR to improve their internal data practices; advance their fight for privacy rights; or strengthen advocacy or social justice work outside privacy-related missions.  We shared the call through Twitter, on the Responsible Data mailing list and at in-person events like IFF and RightsCon. As we spoke with individuals from across the globe, we asked folks for referrals to other organisations or individuals who might have more information to share.

In the call, we aimed to capture ways that the legislation had impacted organisations’ internal practices and their external advocacy work advancing privacy or other social justice-related missions. However, the vast majority of leads we received and desk research we conducted pointed to external applications of the GDPR.

Throughout the research period, we conducted desk research and interviews simultaneously, using the findings of one to inform the other. Some cases had already been covered to some extent by other outlets (including organisations’ own sites, and GDPR-specific sources like GDPR Today), whereas others required weaving together disparate sources of knowledge. In all of these cases, we aimed to highlight uses of the GDPR — or similar data protection legislation — that were impactful, innovative or somehow replicable.

Identifying trends

We are publishing the case stories one-by-one, between July and November 2019. Once we approach the end of our research, we will update this section with learnings, trends and opportunities for future uses of the GDPR and similar legislation.