Originally posted on TechSoup by Giles Watkins.
I was lucky enough to be in the room at the European Parliament in October 2018 when Apple CEO Tim Cook made an impassioned plea for federal privacy law in the USA. It was something I thought I would not hear from a Silicon Valley CEO in my lifetime.
If that wasn't amazing enough, Mr. Cook left no room for misunderstanding when he declared that tech giants put profit over privacy and that their most dubious actions result in nothing short of surveillance.
He was, however, not all doom and gloom. He also made it clear that those who believe in "the potential of technology for good" should not give up hope, as "technology doesn't want anything." Rather, we must ensure that it is designed and developed to serve humanity, not the other way around.
The U.S. has yet to pass federal regulations as stringent as the General Data Protection Regulation (GDPR), though some states have passed their own. Nevertheless, data privacy remains top of mind for any organization — for-profit or nonprofit — that deals with the collection, storage, and use of an individual's data.
Complying with the rapidly increasing number of laws and regulations related to data privacy is much harder for nonprofits with limited budgets and staff than it is for large organizations with more funding, personnel, and resources. That said, it is typically easier to install or modify a "culture" in a small organization than it is in a large one.
Let's take a look at what creating a culture of data privacy might look like and how EU organizations are looking at data privacy.
Creating a Culture of Data Privacy at Your Nonprofit
Where employees and volunteers understand that the organization has a commitment to honesty and ethical corporate decision-making, including a responsibility to protect data, they are far more likely to treat data with care and respect. This, in combination with good processes and policies, means you are less likely to fall foul of the various laws and regulations that may affect data privacy. However, it never hurts to regularly challenge yourself and your organization to ensure that "thinking the right thing" translates into "doing the right thing." For starters, ensure that your organization is constantly asking itself basic questions like
- Do we have the right to collect, use, transfer (if applicable), and store this information? And have we informed the individual of our processes and intent?
- How long should we continue to keep this information, and are we using it for anything we didn't originally communicate or intend to?
- Do we let citizens access the data we hold on them, change it if it is inaccurate, and have it deleted if they wish?
- Are we keeping this sensitive personal information securely and limiting who has access to it?
In most cases, committing to this line of thinking will make your organization less likely to violate the most severe penalties that are enabled in these new regulations. The answers to these questions will also inform updates to your related policies and procedures.
Speaking of policies and procedures, I suspect many of you already have a good sense of your organization's ethics and compliance programs (formal or otherwise). Either way, it is advisable to review your policies and procedures specific to data ethics and privacy — especially before your staff, the public, or donors start to ask!
How EU Organizations Are Thinking About and Investing in Privacy
Since my last piece on GDPR for TechSoup, the International Association of Privacy Professionals, which I represent as the U.K. country leader, has released a couple of key documents that will provide you with some valuable benchmarks and insights into what others are doing to address privacy compliance.
One such tool is the IAPP-EY Annual Privacy Governance Report 2018. This provides results and commentary from a survey of many IAPP members and contains many useful insights. Below, I've listed some key takeaways that stood out to me.
- Some 78 percent of organizations now have some form of reporting on privacy matters to the board or the highest level of governing body.
- Only 32 percent of organizations think their privacy management program is "mature."
- Some 56 percent of organizations say that they are not yet fully compliant, and 19 percent say that they will never be "fully compliant" due to continual changes in processes, technology, personnel, and so on.
- The top areas of "activity" that organizations are undertaking in order to become compliant are
- Incident response — both implementing procedures and actually responding to privacy-related incidents
- Ensuring that there is a personal information inventory and that there are adequate data flow maps in place to understand where the risks to personal information exist
- Privacy by design — building procedures and controls into products, processes, and procedures when they are first designed and implemented
- Ethical decision-making — stepping back and asking, "Are we doing the right thing?"
- The areas that organizations are finding most difficult to address are
- Implementing the "right to be forgotten"
- Responding to "subject access requests"
- Breach notification to regulators and citizens
- Gaining and managing "consent" from citizens
- Conducting data privacy impact assessments
- The areas where most investment is being made are
- Finding and hiring a data protection officer
- Identifying and implementing supporting privacy technology
Speaking of investing in data privacy, another report recently released by the IAPP is the 2018 Privacy Tech Vendor Report. There has been an explosion of privacy-related technology as a result of GDPR. This report analyzes much of the technology available today within different categories, including data mapping, incident response, website scanning, activity monitoring, and more. I recommend taking a moment to at least scan this report. It will give you an idea of recent developments in this field and perhaps point to some improvements you could make at your own organization.