It has been two months since the General Data Protection Regulation, or GDPR, went into full effect. The GDPR was passed by the European Union on May 25 and requires organizations to be accountable for protecting any personal information of anyone residing in the European Union—even if an organization is not physically located within the European Union.
The GDPR has already been enforced. In June, a regional court in Germany invoked the GDPR against a German company. In this first practical ruling of the GDPR, the German court decided that an internet domain register service needs to stop collecting data that can potentially be used to identify personal contact information—including addresses and phone numbers—of internet domain owners.
As organizations have continued to collect more sensitive personal data, it has become increasingly difficult for those providing their data—the users—to understand how their own personal information may be used to their benefit or detriment. Users may not even know how their personal data is connected to certain data footprints, as shown in the German court ruling in June.
A rights-based framework
To keep users instead of organizations at the center of the data privacy conversation, the European Union wrote the GDPR to ensure that personal data protection remains at the forefront of privacy policies and responsible data management.
Underpinning this hefty two-hundred-page data protection document is a new framework for digital communities and organizations to understand and uphold users’ rights to privacy, transparency, and security.
Organizations need to reflect this new framework. At TechChange, we are working to meet GDPR standards for our users and ensuring that our partners are learning how they can as well—be they in the international development sector or otherwise.
Responsibility to the user
Right now, the GDPR stands as an opportunity for organizations to rethink and improve how they are approaching data management in the wake of the regulation.
For example, the GDPR has stringent and specific requirements for highly-personalized data. A user’s biometric information—such as a fingerprint—is considered a special category of personal data under the regulation. This means that organizations using biometric data in their programs will need to follow a stricter set of requirements when managing that data over other indirect types of personal identifiable information, such as a user’s office address.
It ultimately falls to organizations who process personal data to make sure that they are doing so in a responsible, transparent, and compliant manner.
Outside of non-profit and public sectors, technology companies realize the need to change their priorities to promote users’ rights. Technology firms that worried more about security and compliance are adopting a more holistic approach to understanding data privacy of their users and customers. Companies are staffing up their cybersecurity divisions with data privacy officers, accountability officers, and digital risk analysts so that their teams and products can better meet the fundamental GDPR requirement of putting the user first.
It ultimately falls to organizations who process personal data to make sure that they are doing so in a responsible, transparent, and compliant manner. Minimizing data collection and cleaning up obsolete data is an excellent first step for improving an organization’s approach to handling personalized information.
On top of that, organizations need to be prepared to help users see and potentially delete their data should they request it. This process—also known as a subject access request in the regulation’s language—is critical to implement. It goes back to what the GDPR is all about: putting users in control of their personal data.
Organizations are continually learning from each other about how they can improve data management and comply with the GDPR. TechChange’s self-paced online course Introduction to GDPR provides a forum to learn about the regulation and share best practices and resources for data management.
The GDPR has evolved the global discussion about data privacy and it can certainly be leveraged to build better data practices while improving transparency between organizations and their users.
Going forward, TechChange will look at how the GDPR promotes the rights of users in digital communities and how the regulation will affect stakeholders outside of the international development sector—including education technology, open source software initiatives, and financial technologies.