GDPR – 4 Things Associations and Nonprofits Can Learn
On the eve of one of the most comprehensive personal data privacy regulations going into effect on May 25th, it is a good time to ponder what any association or nonprofit organizations can learn from the EU General Data Protection Regulation (GDPR) regardless of whether you fall within scope.
GDPR is about protecting the rights and freedoms of data subjects or individuals pertaining to their personal data and right to privacy. In other words, GDPR is about information security. Just like any other information security regulation or best practice (i.e. PCI DSS, HIPAA, or ISO 27001:2013), some of the requirements set forth are applicable to any organization that processes information as part of its daily operations. One of the areas GDPR differentiates itself from other information security regulations or best practices is the fact that it is industry agnostic.
There is a belief that, if done appropriately, GDPR will strength the trust between your organization and its data subjects.
You may be asking yourself, what can a regulation originating in Europe teach me about information security as US based organization? GDPR has a very broad scope and perhaps, your organization does not fall within that scope. But, understanding the requirements would prove beneficial to any organization. There are lessons to be learned from GDPR, especially since US Senator Edward Marky introduced a new bill called the “CONSENT Act” with the purpose of “requiring the Federal Trade Commission to establish privacy protections for customers of online edge providers, and for other purposes.” It would be foolish to think that we will not see additional regulations at the State and/or Federal level that will be aimed at protecting the privacy of US Citizens similar to how GDPR is protecting the privacy of EU/EEA Citizens.
An organization can learn from the GDPR regulation and use it as a reference point to either begin its journey of implementing information security best practices or validating/improving on what it currently has in place. Requirements like privacy notices, data protection by design and by default, contracts with data processors, and 72-hour breach notification could apply to any organization in any industry. Let’s break down these items to provide more detail.
GDPR requires data controllers to provide privacy notices and it gives some stipulations and details regarding what should be included. The regulation states that a data controller shall provide information relating to processing of the data subject that is:
- Easily accessible form, using clear and plain language.
- The grounds for processing (i.e. consent, performance of a contract, a legal obligation, vital interest of the data subject, public interest, or legitimate interest of the controller)
- The purposes of the processing
- The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
- From which source the personal data originate, and if applicable, whether it came from publicly accessible sources (Article 14 only).
Any organization looking to be proactive in building the trust of their “customers” would benefit from a privacy notice that includes these four pieces of information. This list should not be interpreted as exhaustive as there is no legal requirement to do so, but the fact that you are being transparent will be viewed as an act of good data stewardship.
Data Protection by Design and by Default
Article 25 of GDPR is about data protection by design and by default. It states that data controllers have an obligation to implement appropriate technical and organizational measure designed to implement data-protection principles and by default only process data necessary for each specific purpose. This applies to:
- The amount of personal data collected
- The extent of the processing
- The period of the storage
- The accessibility to the data
Data protection and privacy should be key a consideration at the beginning of any project or change in your organization. Unfortunately, data protection and privacy are typically incorporated as an after-thought or ignored altogether. Adopting this mindset throughout the entire organization is an essential tool in minimizing privacy risk and building trust. The UK’s Information Commissioner’s Office (ICO) provides guidance on privacy by design in context of the Data Protection Act in which they reference the Information & Privacy Commissioner of Ontario’s (IPC) ‘7 Foundational Principles’ of privacy by design located here.
Contracts with Third-Party Vendors
GDPR requires data controllers to have contracts in place with any external processor relating to the processing activities. The regulation states that these contracts should include certain stipulations. Many of these stipulations are GDPR-centric, but there are a couple that could be applied to any contract your organization has with its vendors such as:
- The ability to ensure the ongoing confidentiality, integrity, and availability of information systems
- A process for regularly testing, assessing, and evaluating the effectiveness of technical and organization controls
- The ability to restore availability and access to personal data when an incident occurs.
GDPR is clear that the data controller is ultimately accountable for demonstrating compliance with the regulations. A part of this compliance is to ensure that any third-party vendors, especially data processors are making the same commitment to comply with the regulation.
72-Hour Breach Notification
GDPR states that in the event of a personal data breach, data controllers have an obligation to report this breach no later than 72-hour after having become aware of it. In the US, we have our own laws that govern data breach notifications, most of which do not require a maximum limit of 72-hours except for the New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies regulation. This regulation went into effect March 1, 2017 and all “Covered Entities” must be compliant by March 1, 2019.
Depending on the nature of your business and the type of data you process as part of your business you may be required, by law, to report a data breach within a certain amount of time. It is important to understand the requirement, but it is equally if not more important to understand what your organization will do in the event of a personal data breach.
A formalized cyber incident response plan is a fundamental aspect of any regulation and would help your organization recover quickly from such an event. Looking at best practices and guidance such as the National Institute of Standards and Technology’s “Computer Security Incident Handling Guide” is a great place to start to understand what this plan should include from a people, process, and technology standpoint.
Your organization may have no obligation to comply with the requirements of GDPR but that does not mean you should not educate yourself on the requirements and what the regulation means. It would not be illogical to view this as a precursor to what is it come around privacy law in the U.S. GDPR is more than just a privacy regulation it should be viewed as a best practice and something you can learn from.