The General Data Protection Regulation (GDPR) legislation, which is being implemented across the European Union next May, will have far-reaching implications for how political parties, NGOs and any community organization interfacing with the general public operates.
Politicians, the parties they represent, NGOs, and local community organizations are just a few of the public-facing entities that will both have to ensure that they comply with its provisions and ensure that they have adopted the privacy by design philosophy that underpinned its drafting.
With less than six months to go until its implementation date, those active in Europe – or intending to be next year – should now be in the advanced stages of compliance preparations ahead of its introduction.
And with up to 4% in global revenues at stake in noncompliance penalties, political parties, NGOs and community organizations simply can’t be over-prepared. Here’s a quick refresher on GDPR’s main provisions and a nine step checklist to help ensure that your community-facing organization is in shape come May 25th.
What the GDPR means for political parties, NGOs and community organizations?
We’ve heard GDPR being described across the political sphere as a piece of legislation with “a real set of teeth”. Given its hefty fines for noncompliance, it is certainly being taken very seriously across the public and private sectors.
At the same time, however, political parties, NGOs and other community organizations have yet to become fully engaged with the implications for their industry. Perhaps because of how it has been featured in the media, awareness of the central effect the legislation will have on the political sphere has lagged behind that of its business implications. Its provisions do not discriminate between the business mission of data controllers and it applies equally to both organizations.
The arrival of GDPR can best be summarized as the dawning of the era of ‘privacy by design’.
It is an era in which maintaining the status of an opt-in to any public database will be considered a borrowed privilege to the administrator rather than an automatic entitlement it enjoys.
Those organizations outside the EU who are holding data on European citizens will also now need to hold the information on servers hosted in the EU and will have to work with a European partner to assist them with the process.
Among its provisions, GDPR will give data subjects wide-reaching control over the personal data held about them by third parties (including guaranteeing them the right to move data between providers), ensure that a request to erase held data must be honored, and enforce reporting requirements related to data breaches.
The last requirement includes a stipulation that details of data breaches must be communicated within 72 hours from the time controllers learn of them.
The most important points about GDPR for political parties, NGOs and community organizations interacting with grassroots communities:
- GDPR is an EU-led piece of data protection legislation that comes into force on May 25th of next year.
- It affects anyone who holds identifiable personal data on an individual/voter
- Organizations and the individuals found to be in breach of the legislation are open to prosecutions of €20 million or 4% of annual global turnover
- From now on, voters will be able to demand access to any data you hold on them and request it to be deleted or transferred to a third party
- If you wish to hold identifiable personal data or sensitive data about an individual you will need to gain clear consent from that individual to do so
A 9-step checklist for GDPR preparation
With less than six months to go until the legislation’s introduction, political parties, NGOs and community organizations should be putting the final touches on their compliance efforts.
No matter what stage your organization is in the preparation journey, however, the following nine-step checklist should be of use to help you get ready in time for next May’s implementation date.
1. Anonymize your data
Political parties, NGOs and community organizations will have existing data on their communities as GDPR takes effect. If these existing databases contain identifiable data about individuals, then you will need to anonymize that data in advance. This means you will have to strip out and delete data points like name, address, email, twitter handle, phone number, or whichever piece of information identifies the individual. What you are left with may be useful to you as an archive record, or you may wish to bundle the remaining data together into an ‘aggregated view’ that continues as your live database that you record new information to. This work can be done for your organization by privacy software, or through a data privacy consultancy.