By Beth Bacon, PIR Senior Director of Policy and Privacy
It’s been several years since the EU’s General Data Protection Regulation (GDPR) was introduced. While the initial flurry of privacy notice updates that plagued your inbox has subsided, the importance of establishing a responsible approach to protecting your customer or donor data remains. To help navigate what can be some very complicated questions, here are a few initial steps you can take to tackle privacy questions for your organization. Let’s start with the basics.
What is personal data?
Most privacy and data protection legislation defines personal data as any information or combination of information that can identify an individual. This is often referred to as personally identifiable information (PII). Super clear, right? Well, let’s think about it this way: you can have many pieces of personal data, for example, a donor’s first name and mailing address. The first name itself is likely not personal because there are thousands of people named Mateo. However, if you combine Mateo’s name with Mateo’s address, this identifies where Mateo lives, and it’s certainly personal data identifying a specific individual.
Whether you are expanding your audience engagement, improving your security practices, or updating your newsletter, your organization is constantly processing these pieces of personal data. It requires attention to ensure your practices are compliant to protect a donor like Mateo and yourself.
How do you figure out which laws apply to you? How do you know if you have to comply with them? What did we even mean in our recent animated video when we said, “Note that the use of personal data for marketing will require charities to be familiar with and comply with a variety of data protection and privacy laws”? Finally, how do we do this as a small organization without losing our minds?
Start with these simple steps.
First, do some internal homework. What data do you have about your donors, customers, volunteers, or employees? Does any of that information meet the definition of personal data above? If yes, then we have more work to do. If not, you’ve made your life easy, but it is always good to have a basic understanding of what role privacy regulations play in an organization’s operations. .
Laws and regulations are passed or adopted by individual governments, so if you are holding or processing personal data, you should determine where your organization is established so you know where to start when reviewing legal requirements. The Netherlands has different legal requirements from India and the Commonwealth of Virginia has different requirements from the State of California. You will need to do some good old fashioned research to see if the country where you’re established has a data protection or privacy law. Resources like the International Association of Privacy Professionals (IAPP) provide several helpful tools to the public including a list of global privacy laws.
Once you know where your business is established and if that country has a privacy or data protection law…then what?
The good news is that while there are a lot of different pieces of legislation, there are basic best practices for processing personal data that are always a great idea to follow regardless of where you are located. These include collecting only data you need for a specific purpose, not keeping data for longer than necessary, making sure you make it easy for people to unsubscribe or opt out of communications, and applying security best practices.
There are also some basic principles that most privacy requirements are based upon. Updating your privacy practices with these in mind can make it easier for smaller organizations with fewer resources. This can be especially important for a non-profit spending the bulk of its resources on its important mission.
- Collection: Limit individual data collection to what you need for your specific purpose with the knowledge or consent of the individual.
- Data Quality: Only use the data you collect for the purpose for which you collect it and make sure you keep it accurate and up to date.
- Purpose: Make sure you specify “why” (the purpose) you are collecting an individual’s data when you collect it.
- Use Limitation: Only use the data you collect for the purpose for which you collected it. Don’t share it or use it for other purposes without first getting an individual’s consent or making sure it’s within the rules of your jurisdiction’s laws and regulation.
- Security: Be sure to apply best practices to secure the data you collect to protect it against breach, unauthorized access, etc.
- Openness: As an organization, you should always be clear about what data you’re collecting and why. In addition, you should provide information on how individuals can contact you with questions about data your organization may have.
- Individual Rights: Many regulations recognize individuals’ rights in their data and attach requirements for organizations to honor those rights. Individuals should be able to understand whether an organization has data about them and receive that data communicated to them in a reasonable form and timeline. Individual rights generally include the right to: be informed, access, rectification, erasure, restrict processing, portability, and object to processing for their data.
- Accountability: Data controllers should comply with regulations that encompass these principles.
If you review how you collect and process data with these principles in mind, you will have a better picture of your current operations and where you may need to make changes.
Understanding what data you have and collect is essential to ensure you’re taking the right steps to protect it, especially for small businesses and non-profit organizations. Your relationships with your customers and donors are incredibly personal and they trust you with their information.
We hope that this primer helps you take those first steps to make sure you’re handling the personal information of your customers in a sustainable, secure way.
More questions? See our FAQs!