In the lead-up to the implementation of the EU’s General Data Protection Regulation (GDPR) in May 2018, small and large organisations alike were abuzz with speculation as to how it would affect them. A much-awaited legislation, the GDPR is a regulation that harmonises and strengthens data protection laws across EU member states. In the year since it went into effect, it is clear that complying with the GDPR has presented a challenge for civil society but that many of the warnings about endless fines for civil society organisations haven’t come to pass.
Through conversations with responsible data community members and colleagues, we heard much excitement around the GDPR. Though few, if any, would argue it is perfect, the GDPR represents a step forward in concretising legal and regulatory mechanisms to enforce responsible data practices. Given how strongly these concepts align with many civil society missions, we asked ourselves, “How can the GDPR be used to support the work of civil society?” The stories that follow are meant to serve as an exploration of this question, shedding light on how the GDPR — and similar data protection legislation — presents an opportunity for civil society to not only examine their own data practices, but hold others to account.
We were able to carry out this project with the support of the Open Society Foundations and hope that the stories can serve as inspirations for reflection, learning and the development of new ways of leveraging data protection legislation.