Above: Photo by Matthew Henry on Unsplash
At Akvo, we help organisations in the international development sector capture, understand and share data in order to improve decision making. In a bid to become more effective and evidence-driven, governments and the international development sector often collect more data on people than is actually required to solve a problem.
In the excitement of trying to do good through big data, it can often be forgotten that we are still dealing with real people. Not numbers or strings or objects – natural persons. Their data can be emailed around, left on laptop harddisks, copied to phones or USB sticks, or retained indefinitely in unsecured backups. A data breach in the international development sector can have dire consequences for the organisation involved and could also be detrimental to the individuals identified by the breach.
GDPR – the General Data Protection Regulation – is a term that’s been on the minds of many in the sector in recent months. This new EU law will replace the current Data Protection Act, and introduces new requirements for how organisations deal with personal data.
What is GDPR?
For European Union (EU) based organisations, or organisations processing EU citizens’ data, the law on protecting personal data has changed. GDPR comes into full effect on 25 May 2018 and holds organisations liable for data breaches while giving the data subject more rights to their data.
The regulation seeks to acknowledge that data is a key currency and looks to ensure there are clear rules on the use of, and protection of these valuable data. For the international development sector, this entails an overhaul in the way in which data is collected, processed and used. The new rights of individuals include the right to be forgotten, the right to know how, where and why their data has been processed, and the right to withdraw consent at any time. In light of this, it’s important for organisations to look ahead to GDPR and lay the foundations for compliance.
Above: Photo by Dayne Topkin on Unsplash
What are we doing to ensure GDPR compliance?
At Akvo, we believe that we have an ethical obligation to protect not only our team’s personal data, but those of our partners’ teams and their beneficiaries. So what steps are we taking to ensure that we handle data more responsibly? We’ve been working on GDPR compliance for the past few months, and have set up a team in Stockholm to work on laying the foundations for May. Right now, we’re completing the auditing of processes, which allows us to understand what personal data we process, where we process it, and why. Once this process has been completed, we will have a gap analysis detailing which data is high risk, which processes need to be better secured, and where we could minimise what is collected.
We’ll also create a framework to identify new areas of personal data processing, a playbook for privacy and security by design, and a privacy incident management strategy. Beyond that, we’ll be holding an Akvo team training on GDPR compliance in February to ensure that the whole of Akvo is aware that data security is not the sole responsibility of the IT department, but something that every individual in the organisation needs to think about.
Where are you on the GDPR journey?
GDPR compliance and personal data security are not always easily understood, especially by those in the international development sector whose main focus is not technology, but people. For this reason, we believe that organisations in this sector should openly share knowledge about their GDPR compliance and personal data security journey. Paraphrasing Dan Ariely, GDPR is just like teenage sex: everyone talks about it, nobody really knows how to do it, everyone thinks everyone else is doing it, so everyone claims they’re doing it. We are all just a bunch of teenagers trying to find our way.
In light of this, we have started a GDPR for non-profits Facebook group and Meetup group (based in Stockholm), in collaboration with TechSoup Sweden, to enable knowledge sharing among non-profit organisations. We’ll also be posting more about our GDPR journey in the coming months.
Lynn Greenwood is GDPR-lead and product manager at Akvo. You can follow her on Twitter @lynngre.