We live in the age of big data. NGOs are no exception. Our smartphones, apps, and even machines generate massive amounts of information. As a multinational NGO you probably use this data to your advantage. But we should not forget that data is about people. It brings responsibilities, both ethical and legal. European privacy law GDPR will be effective from April 2018.A Brief History of the GDPRBefore 1995, we were living in a world without social media and cloud storage. Only about 1% of the European population had access to the Internet. That’s why the European citizens’ privacy rights, had to be updated. After four years of preparation and debate, the General Data Protection Regulation (GDPR) was approved by the European Parliament. It superseded the 1995 Data Protection Directive. The GDPR will go into effect in May 2018.What Is the GDPR?The GDPR aims to protect all EU citizens from privacy and data breaches in an increasingly data-driven world. Its goal is to give Europeans more control over their own private information.The GDPR focuses on:Reinforcing individuals’ rightsStrengthening the European internal marketEnsuring stronger enforcement of the rulesStreamlining international transfers of personal dataSetting global data protection standards.These changes will give people control over their personal data and make it easier to access it. They are designed to make sure that personal information is protected. No matter where it is sent, processed or stored. Even outside the European Union, as is the case on the Internet. This applies for international NGOs as well.Donator Data is Personal Data?You may not be sure if the GDPR applies to you. Chances are, it does! After all, the GDPR scope of personal data is very broad. Personal data is defined as any information relating to an identified or identifiable person. A person is considered identifiable if he can be directly or indirectly identified. So every donation you receive connects to the GDPR.Examples of identifiers are: a name, an identification number, a person’s location data, or an IP address. Moreover, a person is also identifiable if one or more facts are gathered that are characteristic of his physical, physiological, genetic, mental, economic, cultural, or social identity.In fact, it does not take much at all for data to be considered personal data. Unintended or deliberate combinations of items of non-identifiable data may cause the data to become identifiable.The rules and obligations of the GDPR apply as soon as data begins being processed. The GDPR defines processing as performing any action or set of actions on data, automated or otherwise. Some examples include recording, structuring, or even destroying data. In other words, whenever you handle personal data, the GDPR applies.GDPR Rule Enforcement Whether you are an NGO or not, you are obligated to demonstrate your compliance in a number of ways. You must prove staff have undergone proper training. Organizations also need to remember that personal data is not only about customers but also about employee personal data. Anyone who anonymizes data is still bound by the law, because they have access to the data in the first place.Data processors have until May 25, 2018 to switch to a data processing method that complies with all the GDPR requirements and standards. After that date, organizations will be held responsible for any violations and can get severe penalties.There Is Some Good NewsComplying with the rules has benefits. Getting donations from people in European countries will be less expensive and complicated as all countries have the same rules. This harmonization is expected to save organizations a lot of money. New donators will be attracted to those that are known for respecting privacy.6 GDPR PrinciplesThe principles of the GDPR are focused on the privacy rights of every individual when it comes to collecting and processing their data:Lawfulness, Fairness, and Transparency: personal data needs to be processed in a way that is lawful to the subject.Purpose Limitation: you can only use data for the objectives you have explicitly described and justified.Data Minimization: the information required must be relevant to its purpose and limited to what is necessary.Truth and Accuracy: if the data is inaccurate, it should be removed or rectified.Storage Limitation: data is kept no longer than is necessary.Integrity and Confidentiality: you must ensure all personal data is protected.6 Privacy RightsThe number of rights assigned to individuals has been extended under the GDPR. These include the right;of a person to be informed when personal data relating to him is gathered.of inspection.to obtain the erasure of personal data (the right to be forgotten).to processing restrictions.of person to have his data transferred to other data processors.not to be subject to a decision based solely on automated processing, including profiling.Any breach of these rights qualifies for sanctions. It is therefore essential to set up procedures for complying with these principles and rights. You must be able to demonstrate these procedures.The Right to be ForgottenThe previously mentioned ‘right to be forgotten’ needs some clarification. When an individual no longer wants his data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted.It should be clear, this is about protecting the privacy of the individual, not about erasing past events or restricting freedom of the press. Freedom of expression, as well as historical and scientific research are safeguarded. For example, no politician will be able to delete their remarks from the World Wide Web. This will allow news websites to continue operating as they have before.International NGOs: These GDPR Rules ApplyInternational NGOs need to take notice. Personal data is only to be transferred to a third-country if an adequate level of protection is ensured. Third countries should be governed according to the rule of law, and respect human rights and fundamental freedoms. Moreover, transfers are subject to appropriate safeguards.The GDPR also brings some new obligations to controllers. The regulation describes a controller as ‘a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means for the processing of personal data’. Controllers are obliged to keep a record of the following data:The name and contact details of the controller and of the data processing officer appointed by the controller, as well as the processor, if applicable.The processing objectives.A description of the categories of personal data.The categories of recipients to whom personal data has been or will be supplied, including when these are international organizations or located in third countries.The third country or international organization to which the controller transferred personal data and the documents concerning appropriate safeguards for governance.The envisaged periods of time within which the different categories of personal data must be deleted.A general description of the technical and organizational security measures.Controllers are not the only ones who are obliged to keep these records. People who support controllers’ tasks, like IT professionals for example, need to oblige too.What GDPR Means for Your NGOThere are plenty of challenges ahead. We advise you to draw up a sound strategic plan. Produce a proper inventory in advance of the tasks to be completed and the time needed to implement the plan. Develop in-house connections with people who will provide you with partial assistance. Produce a realistic and pragmatic project plan.All personnel dealing with customer data will need to be aware of their responsibility in safeguarding its privacy and security. Specifically, Privacy Officers, Compliance Officers, Security Officers and Business Continuity Managers will need to understand and put into practice the GDPR requirements.Does Your NGO Need a Data Protection Officer?According to the GDPR, you are not obliged to appoint such an officer. It is an independent position. All in all, it may be more practical to train your own people in GDPR relevant skills.Contact usDo you want to know more about humanitarian travel, risk management or otherwise? We offer support for your entire humanitarian travel. Thanks to our global organizational structure, there is always an office nearby. Consult our quick address locator to contact any of our offices should you have any questions.