The General Data Protection Regulation (GDPR) legislation, which is being implemented across the European Union next May, will have far-reaching implications for how political parties, NGOs and any community organization interfacing with the general public operates.
Politicians, the parties they represent, NGOs, and local community organizations are just a few of the public-facing entities that will both have to ensure that they comply with its provisions and ensure that they have adopted the privacy by design philosophy that underpinned its drafting.
With less than six months to go until its implementation date, those active in Europe – or intending to be next year – should now be in the advanced stages of compliance preparations ahead of its introduction.
And with up to 4% in global revenues at stake in noncompliance penalties, political parties, NGOs and community organizations simply can’t be over-prepared. Here’s a quick refresher on GDPR’s main provisions and a nine step checklist to help ensure that your community-facing organization is in shape come May 25th.
What the GDPR means for political parties, NGOs and community organizations?
We’ve heard GDPR being described across the political sphere as a piece of legislation with “a real set of teeth”. Given its hefty fines for noncompliance, it is certainly being taken very seriously across the public and private sectors.
At the same time, however, political parties, NGOs and other community organizations have yet to become fully engaged with the implications for their industry. Perhaps because of how it has been featured in the media, awareness of the central effect the legislation will have on the political sphere has lagged behind that of its business implications. Its provisions do not discriminate between the business mission of data controllers and it applies equally to both organizations.
The arrival of GDPR can best be summarized as the dawning of the era of ‘privacy by design’.
It is an era in which maintaining the status of an opt-in to any public database will be considered a borrowed privilege to the administrator rather than an automatic entitlement it enjoys.
Those organizations outside the EU who are holding data on European citizens will also now need to hold the information on servers hosted in the EU and will have to work with a European partner to assist them with the process.
Among its provisions, GDPR will give data subjects wide-reaching control over the personal data held about them by third parties (including guaranteeing them the right to move data between providers), ensure that a request to erase held data must be honored, and enforce reporting requirements related to data breaches.
The last requirement includes a stipulation that details of data breaches must be communicated within 72 hours from the time controllers learn of them.
The most important points about GDPR for political parties, NGOs and community organizations interacting with grassroots communities:
- GDPR is an EU-led piece of data protection legislation that comes into force on May 25th of next year.
- It affects anyone who holds identifiable personal data on an individual/voter
- Organizations and the individuals found to be in breach of the legislation are open to prosecutions of €20 million or 4% of annual global turnover
- From now on, voters will be able to demand access to any data you hold on them and request it to be deleted or transferred to a third party
- If you wish to hold identifiable personal data or sensitive data about an individual you will need to gain clear consent from that individual to do so
A 9-step checklist for GDPR preparation
With less than six months to go until the legislation’s introduction, political parties, NGOs and community organizations should be putting the final touches on their compliance efforts.
No matter what stage your organization is in the preparation journey, however, the following nine-step checklist should be of use to help you get ready in time for next May’s implementation date.
1. Anonymize your data
Political parties, NGOs and community organizations will have existing data on their communities as GDPR takes effect. If these existing databases contain identifiable data about individuals, then you will need to anonymize that data in advance. This means you will have to strip out and delete data points like name, address, email, twitter handle, phone number, or whichever piece of information identifies the individual. What you are left with may be useful to you as an archive record, or you may wish to bundle the remaining data together into an ‘aggregated view’ that continues as your live database that you record new information to. This work can be done for your organization by privacy software, or through a data privacy consultancy.
2. Understand ‘legal basis’ for processing data and build protocols around gaining consent
If your political party, NGO or community organization is interested in holding personally identifiable data on your community, then you will need to have a legal basis for doing so under the legislation. This includes, for example Vital Interest (life or death scenario), Employment (on your staff), Contractual Necessity (you need to undertake a contract with the individual that requires their name and details), or Public Interest (for the likes of public authorities carrying out their duties).
However, it is unlikely that these will cover you for regular outreach work like canvassing, donations and marketing. In this case, you will need to apply the Consent basis, meaning you will have to get explicit consent from individuals in your community to allow you to process their data and contact them in the future. This consent will need to be clearly achieved and auditable, so you will probably have to get a digital signature from the individual or you might be able to get the consent online through tick boxes.
3. Appoint a data protection officer
A data protection officer (DPO) may not be a requirement for all organizations but the likelihood is if you are dealing with sensitive personal data then you will need one. Political parties, holding information like voting history will certainly be forced to appoint a DPO. If the core activities of the political party, NGO or community organization involve data processing operations which “require regular and systematic monitoring of data subjects on a large scale”, then they too will need a DPO. A DPO is the main point of contact for the organization with the regulatory authority and will coordinate all internal activities (including staff training) to ensure ongoing compliance.
4. Communicate and train your organization
The legislation provides for individuals in an organization to be fined for non-compliance so you do have an obligation to get training for everyone. Your chain is only as strong as the weakest link, meaning any volunteers, interns or casual staff will need to be trained just as much as your permanent team. You must also implement permission settings in your database systems to avoid data being viewed or managed by the wrong people.
5. Review your systems and locations of data storage
Where do you keep data on voters – on desktop, cloud, excel, scraps of paper? Establish how you are going to capture this from now on and ensure any information you have is not transferred outside of the EU, i.e. it must be kept on servers in the EU. As you research the legislation, one thing will become clear and that is, you will require a unified database for managing your community. Think about cloud-based software systems as these will allow you to maintain your database securely, and also control the access levels for all the various people in your organization. Remember, community facing organizations will usually have volunteers and casual workers involved in delivering services and these people will need to ‘plug-in’ to a secure system to ensure compliance.
6. Draw up your data retention policy
It is critical that communications with your community are deleted once they are ‘done’ or have become unnecessary to keep. This means all of your emails need to be archived unless they are ‘live’. This process needs to be ongoing and transparent. A data retention policy is an official document that governs the organization’s procedures around holding data, time limits on this and methods of deletion or archival.
7. Know how to deal with a subject access request
Any member of the community can request access to the personal data you hold on them at any time, and they can request that this data be deleted or transferred to a third party. This request must be dealt with free of charge within one month and you must provide a way of making the access request digitally. Ideally, you will have a central repository of all voter information that you can go to and meet this request through a simple search. Otherwise you risk being swamped with subject access requests (SARs).
8. Get a data processor partner
It would be advisable to outsource the data processor role to a third party system that is set up with ‘privacy by design’ in mind. This avoids your organization having to take responsibility for both data control and data processing. Data encryption, secure servers and controlled access to data are relevant considerations if you do plan on being the data processor yourself.
9. Establish your speed of response to data breach reporting
If you do suffer a data breach you will be obliged to report this to your relevant supervisory authority within 72 hours of discovering it, and the individuals affected if it is of high-risk to them. How do you plan on doing this and how can it be done if it is a weekend or your DPO is away from office for example? A data breach checklist that is accessible to everyone in the organization might help in establishing a clear path in response to this situation. When you are communicating to the regulatory authority you will need to outline the scale of the breach, your DPO’s contact details, and how you are responding to the breach.