As every organization becomes a data-collecting organization, protecting and managing data will soon be everyone’s responsibility. And the rules are about to undergo a major update on May 25, when the European Union will adopt the General Data Protection Regulation (GDPR).
This new regulation will hold businesses accountable for transparency and security of any customer information they possess. Violators will face fines of up to 4% of a company’s global revenue, or 20 million euros (whichever is higher), and the regulations apply to any EU resident served by that organization. This means that simply having an EU citizen visit your organization’s website qualifies that citizen to all protections under these new regulations. And since storing and handling data differently for EU and non-EU citizens is infeasible and inefficient for most organizations, the standard set out by the GDPR will become the de facto standard for organizations that have any EU presence online.
While GDPR enforcement will motivate many organizations to comply, this articulation of comprehensive guidance also provides an opportunity for international development organizations to demonstrate leadership. Donors typically require detailed, data-driven monitoring and evaluation to justify funding, which means that collecting, storing, analyzing, and sharing beneficiary data is no longer solely the concern of global technology companies such as Facebook. And in development, this data is all-too-frequently compromised or misused at the expense of the most vulnerable, who have been damaged through collective inaction and patchwork regulation.
But GDPR is not just a challenge for technical and legal teams, but also an opportunity for organizational learning and donor education. If donor and client preferences are as aligned with the data rights of value beneficiaries as they are with value of that data for programming purposes, we could hope for real change. To reference the PopTech presentation by Nathaniel Raymond on Data Rights, this could be an opportunity for our moral and ethical innovation to catch up to our technical innovation — even if it has to arrive via incremental progress.
For example, the TechChange platform used to permit administrators to create user accounts directly on the TechChange platform. This feature, added to ease the integration of new learners into a seamless course experience is convenient. However, it is also directly counter to the spirit and letter of GDPR.
So in response, our team has removed that ability for administrators to create user accounts on the platform and replaced it with the ability to invite users. This adds an extra step to the process, but also protects user privacy by forcing users to generate their own passwords and opt in to our learning experience.
And while some partners have asked why the feature has been removed, it has also presented a learning opportunity for us to share more about the GDPR and also how we are growing as a partner to serve their needs but also responsibly administer their learner data.
This is just one example, and we are still working to understand the full implications of these regulations. But there are steps we can all take today to create the kinds of organizations that we would trust with our own data, much less those who count on us to keep it safe.
Interested in learning more? Take our two-week facilitated online course on GDPR for International Development! Class starts on May 7th.