GDPR Primer for OSMFPosted by Heather Leson on 27 April 2018 in English (English).
There are new General Data Protection Regulations (GDPR), sometimes coined the “Eu Data Protection Regulations,” come into effect on May 25, 2018. All organizations, companies, and entities operating in the EU will be required to adhere or, at minimum, have preparedness plans. The GDPR is considered a “gold standard” which other countries outside the EU may adopt. The OSMF License Working Group prepared a detailed white paper about GDPR. This post is a compilation of resources to support the ongoing OSMF conversation.
Give me a Quick summary about GDPR Preparedness
This 2 -page checklist explains some of the considerations.
Surely, someone has made summaries for NGOs and not-for-profits? Yes!
Responsible Data Forum: top 5 considerations: 1. Responsibility and rights are foundational to the GDPR 2. The scope of the GDPR is broad, going beyond Europe 3. The GDPR broadens the definition of ‘personal data’ 4. Prepare for data audits now 5. The GDPR strengthens the rights of data subjects 6. For organisations, this is operational
Digital Impact (Stanford) Digital Impact is an initiative of the Digital Civil Society Lab at the Stanford Center on Philanthropy and Civil Society (Stanford PACS). Their summary of key articles:
Got it, Show me a legal analysis
Access Now has a great article:
What are some Data Hygiene considerations
Are you tracking:
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Ok, how can I prepare?
The FutureLearn GDPR Online course suggests:
- Try to think about who deals with personal data in your company or organisation.
- Try to identify the nature of the data and the purposes for which they are collected or processed.
- Try to think about which processes are mandatorily followed in your company or organisation when handling the data.
- How are data safeguarded?
- What is the red tape that is likely to arise when changing the ways how people work and how can it be addressed?
- Do you need structural changes? Do you need to appoint a Data Protection Officer? Which competences should he or she have in your organisation and how could he or she best be placed in the organigram?
- Go even further. Identify your weak and strong points. Now, you know the obligations that the GDPR introduces for data controllers and processors. Step into action ensuring that you, your company or organisation complies with these obligations and avoid potential liabilities or sanctions.
Give me some key definitions:
- Consent: Explain why collecting the data, what will be done with it. Ask for permission Anonymization encompasses techniques that can be used to ensure that data sets containing Personal Data are fully and irreversibly anonymized so that they do not relate to an identified or identifiable natural person, or that the Data Subject is not or no longer identifiable.
- Data Subject means a natural person (i.e. an individual) who can be identified, directly or indirectly, in particular by reference to Personal Data *Personal Data means any information relating to an identified or identifiable natural person. (eg. Name, religion, address, bank information, etc)
- Processing means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination or erasure.
- Data Controller means the person or organization who alone or jointly with others determines the purposes and means of the Processing of Personal Data. A Data Controller is the person who alone or jointly with others determines the purposes and means of the Processing of Personal Data, while a Data Processor is the person who processes Personal Data on behalf of the Data Controller. Finally, a Third Party is any natural or legal person, public authority, agency or any other body other than the Data Subject, the Data Controller, or the Data Processor. source: ICRC Handbook on Data Protection in Humanitarian Action
- Data Processor means the person or organization who processes Personal Data on behalf of the Data Controller.
- Right to privacy Tell people how their data will be used/processed
Other resources or edit suggestions welcome